@mattab opened this Issue on November 22nd 2011 Member

In Piwik we focus a lot on security and aim to track and fix all potential code issues. But there are often other reasons that would let intruders in a system. It could be interesting to give a list of interesting resources or Must-have regarding securing a Piwik server.

I am thinking in particular tips such as:

  • install Piwik in a new separate mysql db
  • use a new mysql user and password
  • make sure you use latest PHP, Mysql, Apache, OS
  • use SSH rather than FTP
  • If you must use FTP, do not store the password in your ftp software (easy prey for malwares)
  • Always keep your own computer up to date, including Flash, Acrobat Reader, your browser, OS vulnerabilities
  • Turn on SSL logins in your Piwik (better with a valid certificate on your Piwik domain)
  • backup and test the restore
  • use strong passwords

We could create a new section in the page: http://piwik.org/security/
with a simple list of items to do to make the Piwik server very secure.

Any feedback please comment!

@robocoder commented on January 26th 2012 Contributor
  • .htaccess protect the root piwik folder (but allow piwik.php and js/ for all)
  • bootstrap.php to move .php files out of the public web folder
  • encrypting mysql password (see DBObsecurity plugin)
@mattab commented on January 26th 2012 Member

OK let's make this ticket a bullet point. I will then put it in a website page and link it from http://piwik.org/security/

Have you got any other suggestion Anthon?

@robocoder commented on January 26th 2012 Contributor

The rest of my ideas will be implemented in code. ;)

@mattab commented on January 27th 2012 Member

I have updated the Piwik security page to make it more clear.

Create the new guide How to secure a Piwik server? and have put the few tips we had.

Have linked the page from the Optimize and secure section of the docs.

Any feedback please edit the page directly (vipsoft) or please put feedback here and I'll modify the page!

This Issue was closed on January 27th 2012
Powered by GitHub Issue Mirror