Have turned off mod security and followed instructions, no data or pages tracked

Hi! Didn’t want to hijack someone else’s thread, so I started one here.

I downloaded and installed the latest.zip from today for piwik.

I installed it at analytics.mydomain.com

During the install everything installed correctly, except I got an error saying it couldn’t access piwik.php and that I should either change it to a post setup or disable and whitelist mod_security.

On my host we are allowed to use .htaccess files and create our own local php.ini files. So whenever I needed previously to turn off mod_security for previous other software I just dropped in a .htaccess file and that turned it off.

So I did the same thing here.

Here’s the code in the .htaccess file:

SecFilterEngine Off SecFilterScanPOST Off

Theoretically the above code should turn off mod_security and has worked and is working in other directories for me for other software.

I also followed the checklist you provided and checked the piwik settings and as well my javascript code placed in my code for my site which is here:

Everything looks correct, mod_security has been turned off, piwik settings are correct and yet still no tracking data. And no data showing up in my database for piwik.

I did notice that for the latest version of latest.zip, there were actually two piwik.js files showing up in the latest piwik zip. One located in the js directory that was 61kb and one located right in the root directory that was 16kb, both named piwik.js

Couple quick questions.

Is that supposed to be?

And which domain needs mod_security turned off? The subdomain where I put the piwik code or the domain that’s being tracked? Or both?

And what can I do now that I have disabled mod_security and have access to both the use of a .htaccess file and a local php.ini file if I need it.

Any help is much appreciated. In talking to my host provider turning off mod_security in both the subdomain and the domain being tracked should have removed any mod_security issues and whitelisted the domains.

For us people who can use htaccess file to turn stuff off on our own, what’s your best suggestion? Thanks!

Want to like this, can’t though if it doesn’t cooperate. =)

Thanks for your help,



Question: isn’t turning off mod_security and letting people send urls back inside the query string to your software kind of dangerous? ie…if I was a hacker I would just call that file, piwik.php with an engineered url… to gain control of stuff on the server side. At least I think I could. Any reason you need to send a full url? couldn’t you break it up into pieces and solve the problem and the need to send an entire url?

I turned on $GLOBALS[‘PIWIK_TRACKER_DEBUG’] = true;

And got this information when calling the piwik.php file directly:

Input parameters:
array ( ‘idsite’ => ‘1’, )
Loading plugins: { Provider,Goals }
Current datetime: 2011-03-08 18:13:16
GET parameter rec not found in URL, request excluded
Visitor excluded.
-> Scheduled tasks not triggered.
Next run will be from: 2011-03-08 18:44:42 UTC
Nothing to notice => default behaviour
End of the page.

array (
‘PIWIK_SESSID’ => ‘cc3c53cbb753c4ee5afca5fbdbbe76ac’,
‘piwik_auth’ => XXX’,
Time elapsed: 0.103s

But don’t know what the above means…except nothing got triggered I guess.

Which should mean the piwik.php is now hopefully available after I turned off mod_security in my .htaccess file. It wasn’t before, as it was throwing a 403 error when I called it before turning off mod_security. That being said still no stats being stored/triggered. =(

Is there a standard test url I can use to quick call the piwik.php file directly with? To test etc…

Thanks for any insight and help.

lancelot_one, I don’t know about you but this component has to many bugs and was released before the author had finished completing the testing of it.
I have noticed that the author is not the one who responds to posts in the forum but uses the likes of us to sort out the bugs for him.

I bet once all the bugs are sorted, he will go commercial with it and make a ton of cash while we are the ones who did all the work get jack shit!

A pity it is so bug full, I for one am not going to use it any-more, back to GA (which is shit as well, but at least it works!) for me.

Hi Chaka, well I stuck to it. And put it into a container and whitelisted one of the mod_security rules, oddly enough it was like rule 12344321 or something like that. Don’t quote me on the rule number, though there are quite a few. Phew! =)

Once I did that, I then did a quick check of the piwik system by first renaming the config.ini.php to config.old.php and then using the install checklist found on the second page of the piwik install to check on everything for me.

When everything checked out I then renamed the config file back to config.ini.php and everything worked. Stuff started showing up. Woot! =)

The problem here seems to be, but don’t quote me on this, that the newest form of mod_security doesn’t like urls or even encoded urls passed in the querystring as parameters. Because sometimes they can be run/eval’d by the system unknowingly and the encoding then doesn’t protect. The short term fix is to whitelist the new mod_security rule/turn it off and to apply a rider to programatically reformat/substitute areas in the url parameter that piwik passes as part of it’s querystring into something less threatening like an array or a substitution and then piece it back together wherever needed.

Possibly the long term fix for piwik though, so they can stop worrying about getting any more mod_security errors, because they aren’t going away, may be to change the piwik code to either serialize the url parameter found in the piwik querystring, or send it as an array or to use a substitution or just not to use a full fledged url as a parameter, but instead to chop it up into reconstitutable pieces. This definitely seems like something that can be fixed.

Note: I was wrong about changing the mod_security option in your .htaccess file. As yes, at some hosts it does work and at others though, they may have that ability turned off at the web server level. So just depends on your host, whether you can do that or not.

Hope this helps somebody,



P.s. Thanks for putting the time into some great software, if you could just fix this mod_security burp you’d be golden. =)


Way to go lancelot_one, what you have done is waaaaayyyyyyy above my pay grade, I am just a dumb site owner and do not have a web master.

But good luck with it.

I agree with you entirely and fixing the burp would help idiots like me. :)-D

(I edited your post to remove your login cookie details.)


  • “SecFilterEngine Off” is no longer supported by newer versions of mod_security
  • js/piwik.js is the unminified, original JavaScript for developers, or anyone curious about how it works
  • ./piwik.js is the minified JavaScript
  • js/index.php is a proxy for piwik.js and piwik.php - use this if you don’t want AdBlockPlus subscriptions from blocking Piwik
  • the domain(s) that host Piwik (i.e., pkBaseUrl in your tracking code) need to be whitelisted from the mod_security rules
  • the default date being shown in the dashboard is “yesterday”; try changing the date via the calendar date picker
  • in user settings, it may say the default date is today … “Save” to be sure
  • hosting providers generally roll out mod_security rules without preannouncing the changes or providing read-access to the rules, so we have no way to debug this or advise which specific rules to whitelist
  • Piwik was designed to allow you to track non-http outlinks (e.g., mailto:, ftp: ) too; chunking the URL was considered, but at one point, HostGator blocked even simple URLs like:

vipsoft, what is the fix for this? :S

I have installed Piwik, but no stats and I am sure you have read above I am a complete numpty when it comes to issues like this. :sunglasses:

Sup vipsoft! Thanks very much for the info. Muchas gracias! I definitely feel your pain on this one. =) Yeah some hosting providers permit SecFilterEngine Off, or a variation of it and some don’t, so I was both right and wrong on that. Just depends on the hosting company. And of course the version etc…

Don’t be too hard on HostGator they got rocked by some break ins earlier on in their life cycle so they have the thing turned way up. =) I don’t mind that.

I was just thinking that you could still send the url, just in a mod_security/mod_security2 approved way. I admit I don’t know what that is yet. =) Have you tried serializing all the parameters including the url parameter and sending it? Or substituting blah for http etc…

I’m sure you’ll find a great way, I just suggest you find only one way though, for everyone, because having one way here and one way there will cause you lots more headaches. Since people’s techniques may not always be on the high side.

Thanks again for the info. I don’t know enough about your internals to help. I know you’ll find a cool way to do it.

Where do you guys create and send the url?

Hi Chaka! Hey who’s your hosting with? You’ll probably have to do what I did and turn off one of the mod_security rules to get the data to show, post to the database correctly?

Let me know if I can lend a hand/help. I admit I’m still new to this software.

Hi lancelot_one, I am with Hostgator. I had them white list Piwik earlier on and still no joy.

Just checked and all is working. (:smiley:

Hey how cool is that? =) Working right? Sometimes the software gods are with you. =)

I think it is! Lets hope they stay on side. d:-Þ