Have Your Stats Been Hijacked?
Vladimir Prelovac was having an analytically bad day with Google Analytics. According to them, he was getting 10 visitors a day from Google searches for “bioenergoterapia” – a word not found on his blog.
In “Google Analytics might have a problem,” he reported on the detective work that led him to a fascinating discovery. His Google Analytics code was hijacked by a site in Poland.
I made a search on google.pl again found a site called psychoenergoterapia.pl. The site is using my theme, nothing wrong with that, but for some unknown reason they also decided to copy and paste the contents of my site footer, including the Google Analytics code.
And clearly it was working just fine in this alien environment.
…The case basically proves that it is possible to dramatically skew somebodies analytics data and potentially make huge damage to them. Who are them? Companies paying a lot of money for adwords and conversion campaigns for example…
He asked psychoergoterapia.pl to remove his Google Analytics code from their footer, and gave us something to think about.
What if someone is using your Google Analytics or Woopra code on their site because they not only copied your WordPress Theme or website design, but also your analytics JavaScript code? Prelovac admitted he thought this was impossible, that his code was protected. Clearly not.
We here at Woopra considered this security issue from the very beginning. Woopra automatically verifies that the domain name matches the member’s account. If it doesn’t match, it will not track the statistics on that site, nor impact your site’s traffic.
With Woopra, this security protection comes built-in from the start. However, Google Analytics also protects your site’s traffic, if you take the right steps.
Protecting Your Site With Google Analytics
Google Analytics collects data according to Web Property ID and not domain name or website, and you can set your Profile to restrict which sites data will be collected.
In your Google Analytics Profile Settings, create a predefined or custom filter that excludes all traffic from a specific domain or includes only traffic to a specific domain or subdirectory. There are a variety of Include and Exclude filters to choose from that use regular expressions to match the data, tracking only your site in your statistics.
See Google Analytics Domains & Directories, Managing Profiles and Accounts & Profiles, along with “How do I create a filter?” in the Google Analytics Help Documentation for more information on controlling where your stats come from.
It still seems to me that there is an unsolved problem, checking the domain or configuring with a filter for a domain may prevent accidental stats hijacking as in your example, but it doesn’t really stop intentional stats hijacking. If someone wants to post bogus data into your stats they just set an entry in the hosts file on their machine so that another site can appear to be using your domain in their own browser then it seems the traffic would still be tracked.
Or is it somehow detected if the domain is spoofed?
I know I have filters enabled in google anlytics but I still see a small amount of noise that doesn’t seem to come from my site. Its very small so it hasn’t been a real problem, but the above is my theory of how it can get in there.
You talk about how this is a security feature in Woopra, but isn’t it interesting that if he had only been using Woopra, he would have never known that someone stole his theme and potentially much more?
I personally consider this “feature” of woopra a bug or deficiency as it prevents useful statistics from many websites that operate under different domains. Regardless of if it’s language specific domains, or if your site allows its users to assign custom domains (like blogging platforms) woopra will “protect” you by not reporting any of this traffic.
@ Dan Morin:
There are many ways of tracking content theft. We’ll be discussing how Woopra helps with copyright violations and content theft in the future.
The issue wasn’t about content theft, but about skewing your stats if someone picks up the web analytics code. With Woopra, you are protected from the start. With Google Analytics, you have to set up the system to protect your stats.
I’m addicted to watching my Woopra Stats, but I also use Google Analytics.
This post made me aware of the security issues of Google Analytics – and also gave me some valuable tips about customizing Google Analytics that I’m glad to have learned!
Many thanks for all you do!
Doug