Open Web Analytics (OWA) is a PHP analytics app with a history of vulnerabilities in older versions. The top priority is running a maintained release and locking admin/tracking endpoints.
¶ 1) Keep OWA version current and patched
- Use latest stable OWA release only.
- Track upstream release notes for security fixes.
- Remove unused legacy plugins/extensions.
- Validate upgrade by checking admin login, tracking ingestion, and reports.
¶ 2) Harden admin and tracker endpoints
- Restrict
/owa/ admin access by authentication + network policy.
- Enforce HTTPS and secure cookies.
- Disable public registration if not needed.
- Protect API keys and tracker site IDs from public repos.
¶ 3) PHP and filesystem hardening
- Run OWA with non-root web user.
- Restrict write permissions to required cache/tmp directories only.
- Disable dangerous PHP functions when compatible.
- Keep PHP and DB engine patched.
¶ Verification commands
php -v
grep -R "OWA_DB|site_id|auth" /var/www/owa/owa-config.php /var/www/owa/owa-data 2>/dev/null | head
find /var/www/owa -type d -perm -002 -ls
- Open Web Analytics project: https://www.openwebanalytics.com/
- Open Web Analytics source: https://github.com/Open-Web-Analytics/Open-Web-Analytics
- OWA security advisories (GitHub): https://github.com/Open-Web-Analytics/Open-Web-Analytics/security