Matomo handles visitor analytics, potentially with personal data. Hardening should focus on privacy controls, admin account security, and strict server permissions. Matomo has a strong security focus with a bug bounty program offering up to $13,000 for critical security issues.
ΒΆ HTTPS and SSL Configuration
- Enforce HTTPS for dashboard and tracking endpoints
- Enable automatic SSL redirection in Matomo settings
- Add to
config/config.ini.php:
[General]
force_ssl = 1
- Set trusted hosts (
trusted_hosts[]) in config/config.ini.php:
[General]
trusted_hosts[] = "matomo.yourdomain.com"
trusted_hosts[] = "analytics.yourdomain.com"
- Disable superuser web login from untrusted networks where possible
- Keep 2FA enabled for administrator accounts
- Use strong, unique passwords for all accounts
- Store passwords in an encrypted password manager
- Define allowed email domains for user invitations and logins
ΒΆ 2) Privacy and Data Minimization
- Enable IP anonymization to enhance visitor privacy
- Configure in Admin β Privacy β Anonymize IP addresses
- Configure data retention to automatically delete old data
- Set appropriate retention periods based on business needs
- Enable automatic log deletion after specified period
- Disable or restrict User ID and detailed visitor profiling unless required
- Mask sensitive data in URLs and form fields
- Respect Do Not Track headers from browsers
- Provide opt-out functionality for visitors
ΒΆ 3) Server and Filesystem Hardening
- Restrict write permissions to required Matomo directories only
- Only these directories should be writable:
config/config.ini.php, misc/user, matomo.js, piwik.js, and tmp directory
- Set proper ownership:
chown -R www-data:www-data /var/www/html/matomo
- Install Matomo in a separate MySQL/MariaDB database to isolate it
- Run
mysql_secure_installation and answer βYesβ to all security questions
- Use a new MySQL user and password specifically for Matomo (donβt reuse credentials)
- Ensure your database server isnβt accessible from the Internet - only allow connections from Matomo web servers
- Block access to temporary Matomo files (
matomo/tmp and config/ folders) if using Nginx
- Disable directory listing in web server configuration
- Restrict access by IP address using
.htaccess files where appropriate
ΒΆ 4) Network and Access Security
- Limit access to Matomo admin interface to specific IP ranges
- Only allow external access to required tracking files (
matomo.php, matomo.js, etc.)
- Use reverse proxy with rate limiting to prevent abuse
- Protect tracking API tokens and archive cron settings
- Rotate API tokens periodically
- Use different tokens for different purposes
ΒΆ 5) Monitoring and Maintenance
- Subscribe to the changelog and maintain current Matomo version
- Keep PHP, MySQL/MariaDB, web server (Apache/Nginx), and OS updated
- Use the latest Matomo version (currently 5.7.1) for security patches
ΒΆ Logging and Monitoring
- Enable logging on all servers with automatic backup of log files
- Enable access logs on the Matomo web server
- Monitor servers actively with alerts for warning/critical thresholds
- Monitor Matomo service with uptime checks
- Install and configure the SecurityInfo plugin to identify and fix security issues
- Regularly review security reports from the plugin
- Monitor inactive accounts and receive alerts for accounts inactive >180 days
- Limit what superusers can do if you donβt fully trust them
- Implement role-based access controls appropriately
- Disable
display_errors and log errors to a file instead
- Set appropriate memory limits for processing requests
ΒΆ Verification Commands
Check your security configuration:
# Check trusted hosts and SSL settings
grep -E 'trusted_hosts|force_ssl' /var/www/html/matomo/config/config.ini.php
# Check file permissions
find /var/www/html/matomo -maxdepth 2 -type d -name tmp -o -name config -o -name misc | xargs ls -ld
# Check listening services
sudo ss -tulpn | grep -E ':80|:443'
# Check database connection security
grep -i host /var/www/html/matomo/config/config.ini.php
- Matomo security FAQ: https://matomo.org/faq/general/faq_18254/
- Matomo hardening recommendations: https://matomo.org/docs/security/
- Matomo privacy controls: https://matomo.org/faq/general/faq_146/
- Matomo source and advisories: https://github.com/matomo-org/matomo/security
- Matomo bug bounty program: https://hackerone.com/matomo