Flood and attack control



Does piwik have any flood and /or attack control? I’m not talking about protection against ddos attacks or similar, just preventing someone can use the http API to create false calls to piwik tracker.

For instance a hacker may try to create 1,000 page views by calling the action tracking API programmatically, he can even change _id parameter in order to simulate different visitors.


Hello, I have been looking for the very same answer for several hours.

How come nobody thought of this? I made this test:

site A, id: 1
site B, id: 2,

I can track visits from A with id 2 (reported on site B visitor panel) and vice-versa (B with id 1, reported on site A visitor panel).

Unfortunately, I couldn’t find anything to (say at least) reduce this issue, and discard URLs other than those associated to current site ID.

Having just started to learn Piwik, maybe I miss something…?

I really need to avoid our users manually entering another ID to alter someone else’s data.

Thanks to whoever can make some light on this…

(Matthieu Aubry) #3

Hi there,

We are actually working on this feature, check out this issue: New website setting: Only track visits and actions when the action URL starts with one of the above URLs · Issue #588 · matomo-org/piwik · GitHub