I use Matomo for years now and it works quite reliably. (A few updates failed the automatic update, but nothing serious)
Only thing that bothered me is that most Ad Blockers are blocking Matomo as well. I did build a little Script to circumvent that, you might find it handy as well:
https://gumroad.com/l/matomo_circumvent_adblock
I use it on my website. Check if your ad blocker is capable of blocking it: https://simon-frey.com
It's your call really, but a website owner tracking you with their own software on their own Matomo instance is not the problem. This is essentially the same as monitoring website logs... that's not disgusting at all.
I think grouping server-side tracking with JavaScript based tracking is an oversimplification. JavaScript tracking is much more invasive and can access significantly more data. From something as straightforward as fingerprinting to potentially even more invasive data such as geo-location, battery status, webcam, microphone - you name it. Server access logs aren't going to track my eyes.
I think we can all agree there are different levels of acceptable tracking and use of that data- but the degrees of acceptance are going to be different depending on the user and service. I don't consider bypassing my restrictions to run unauthorized code to be an acceptable tracking method and raises serious concerns about how the data will then be used.
Anyone can do all sorts of things. I can punch anyone I see on the street in the face. Doesn't mean they're actually doing it.
Now, I have a vested interest in this as I work on one of those tracking tools, but it actually collects less data than those Apache access_logs that people have been keeping for 25 years. Plus, the JS is unminified and easily examinable if you want (as is the HTTP request), so you also have more insight in what is being collected exactly.
"It's using JavaScript" and "it can do [..]" are massive red herrings; browsers are actually fairly sandboxed and there are millions upon millions of lines of code on your computer that can do much more than JavaScript inside a webpage.
> I can punch anyone I see on the street in the face.
Yes, and then you would be charged with assault. It is great that you work on a tool that respects peoples privacy. I suppose I failed to put an emphasis on trust. With server side logs, less trust is required because there is less that can be done. Paired with VPN, I can have reasonable belief that server side logging is not logging anything unreasonable and it does not require trust that they are not fingerprinting me. As you say, just because someone can do something doesn't mean they will - but trust is required, especially if there are no repercussions if that trust is violated.
OTOH JavaScript tracking is an easy way to filter out a lot of the bots. I use a little bit of JS-based tracking for exactly this reason, but I'm not extracting anything that wouldn't show up in server logs (eventually I also want to get some "time spent on page" metric so I have some idea how useful my blog posts are (are people clicking and leaving right away or are they sticking around to read). You pretty need JS for this. In whatever case, web analytics like these aren't "tracking"; you're looking at user behavior on your own site; not trying to follow them around the Internet or otherwise identify them.
Matomo doesn't track all that much.
Screen size, which is wrong for Firefox vs Chrome.
Visit time and unique user and visit ID. Also some ecommerce parameters if you set them.
As well as if your browser supports whatever tech like flash, silverlight etc.
It's a slightly better server log.
When the GDPR was entering into force, I remember some speculating that monitoring Apache logs could violate it, since the user has not consented to having their personal details (i.e. the IP address) processed. What was the final consensus reached on this?
Ad blocking != block tracking. If you don’t want to get tracked, turn on Do Not Track in your browser. Matomo and most other privacy focused analytics scripts respect that setting.
While I agree that is the proper solution, most analytics do not respect the Do Not Track header. Beyond it being mostly ignored, Safari (which currently has 20% global browser share) removed support for Do Not Track in 12.1. So even though Matomo might respect the header request, there is no way for me to send that header on many of my devices. Blocking is the only solution left to me to 'opt out' of tracking regardless of the good intentions of Matomo.
Sure, so I have tracking protection too both through uBlock Origin, and Firefox' tracking protection feature. Yet, here you are, bypassing my tracking protections.
If you're using Firefox tracking protection (which I'm guessing using DNT as well), then Matomo by default does not track you though. So no, your tracking protections aren't being bypassed.
Why not block access to the content then? You can't watch Netflix streams without paying for them, that's trivial to implement.
Ah, right, creators want their content to show up for my search keywords, Google won't let them have pages only visible to Google bots (though even that is changing with the rise of paywalled sites), and they want the money from that same Google showing ads from their ad network.
Google initially promised to deliver a search for the open web unencumbered. It has become a sort of paywall itself (accept our ads or our search results will be useless pointing you to pages that only work if you have ads enabled).
Sure, it would be fair if they haven't pushed out the competition acting entirely differently ("we have no ads", "our ads are clearly marked" to current "see if you can tell a difference between an ad and your search results").
Unfortunately your script still calls a third party domain, which is trivial to block using a generic AdBlock/uBlock rule. Instead, you should host the matomo script (under a different filename of course) on your own domain. That way it won't be as easily blocked.
I go as far as to send all the tracking parameters through a custom server script before they are proxied to GA and Matomo. That way, I can change the script and parameter names at will, making them much more difficult to block. For example, Matomo-related blocking rules are as follows:
Sure if someone explicitely blocks you and you alone, that's fine. The problem is you getting blocked generically, because you're using the same scripts or patterns as everyone else, such that there exists a very wide and generic block rule in uBlock Origin or some other filter that happens to apply to your own domain. That's unacceptable and worth fighting against.
Unless I am missing something, that's trivial to block.
Any tracker can be made to work around ad blockers by making callbacks to the site itself and having a small shim there that forwards these pingbacks to the actual tracking service. But even then they still can be blocked based on the request contents.
I've tried to use it and... they could work on improving the installation guide. I gave up after an hour or so of failing to provision the database and create configuration in a way that gets me to the initial setup screen. I was using their docker setup for this.
It's kind of my job to take random apps, deploy them and manage properly, so I'm not a clueless user here. I could press on and figure it out with more time, and I understand they'd be happy with people using the cloud offering / paid support instead. But I also feel like a working docker-compose (or comparable) setup is table stakes these days for an open-source service.
This lets me in at localhost:4000 and I just enter "mysql" as the DB host, "root" as the username & password and "matomo" as the database name, and it's basically done.
Of course, I probably have to point it out or someone else will, that it's a bad idea to be using the MySQL root user, instead of creating a user with the rights that Matomo needs: https://matomo.org/faq/how-to-install/faq_23484/
I’ve found that using geerlingguy’s Ansible roles for MySQL, Nginx, and PHP, most random PHP applications can be deployed with default configuration. I’ve had them in production with Matomo for the past year or so and had no problems so far.
A lot of the challenges faced with a ‘from scratch’ install will revolve around which PHP version and extensions to install and how to get Nginx to talk to FPM. Neither of which are trivial for someone wanting to test/evaluate without much prior knowledge.
My anecdotal experience is that people liked it better than GA. I also really like how easily you can extend it. In one case (a webshop) we added the currently logged in user so we can track what they look for specifically so we can improve the search and categories.
Any cheap Hetzner dedicated (~30€/month) can handle tracking thousands of daily visits without breaking a sweat.
If we're talking about 10s of thousands, you're gonna need to invest in some SSD (€50-70/month probably).
If we're talking about dozens of sites, some of which have millions of yearly visitors (and a bunch of plugins and reports that need to be generated), then you're gonna encounter some issues and have to spend a considerable amount of time optimizing every part of it, and hardware cost will rise to a hundred or two per month.
To add another level: To track millions of requests per day for a couple of sites, it will probably cost around 1k - 5k per month, hosting on AWS. It's advised to use not the cheapeast hoster here, because any little outage directly affects every site that implements your tracking technology.
> It's advised to use not the cheapest hoster here, because any little outage directly affects every site that implements your tracking technology.
I guess it depends on how essential your tracking is, and how you've implemented it. It shouldn't be added in a way that can take out your site unless there is some business critical reason to track.
Then I'd ask, just how critical is the tracking? If losing a few hours of data is going to throw off your product development, do you have enough data to be making decisions? My experience is that bugs and misconfiguration of experiments is common in most orgs, so even if the system is up to capture all data, product managers check an experiment a week later to find they have only 50% of the data.
While it makes sense for some projects to use AWS, Azure, Google Cloud, etc, you could track the same number of requests on Digital Ocean, Vultr or Linode reliably and for less money.
It's pretty easy to make your own analytics. It's not famous, but I open-sourced mine; it's called Bast, written mostly in Rust, and it's easy to deploy it. https://github.com/kooparse/bast
I did the same for my Go library [0], but I don't think it's "pretty easy" if you want to do it right. Especially filtering out bots is a constant hassle, it needs to be tested, maintained, just like any other software. So, paying something like $4 is worth it, if you don't want to think about it as much.
You have a very good looking UI there. I really love the simplicity.
Installed it on some websites recently. Quite pleased with the UI and the functionality. Pretty spot on in terms of the right level of information about users - providing useful info without stalking people inappropriately. The new version (4.0) seems to improve on some earlier stability issues.
It is definitely clearly snappier, yes. There is some sub-second loading times, which should not be surprising, but not the sometimes multi-second lags I have seen in Google Analytics.
About data protection and GDPR, a good thing with Matomo is that, if configured properly, it can be used without requiring to collect the user's consent (since Matomo doesn't use the data for its own purpose). Of course there are less information collected but at least you don't have to display a form as soon as a user enters your website.
The French data protection authority issued a piece of code (JS) which must be used to avoid collecting the user's consent. I don't know about other data protection authorities in the EU but it shouldn't be much different.
> it can be used without requiring to collect the user's consent (since Matomo doesn't use the data for its own purpose)
This is not how the GDPR works. If you are collecting personal data, or if you are dropping analytics cookies on someone's device, you need consent. No ifs or buts.
It is true that an opt-out system must be installed on the website (Matomo gives that piece of code) but - as noted on the github link you posted - that very is different from an opt-in system (which is the standard GDPR requirement).
GDPR does not require consent. If you use consent, then it must be freely-given, but can often use a different legal basis when processing personal data.
The ePrivacy Directive requires consent for reading or writing from a terminal device. This includes anything with cookies, even if they're not personal data. While the ePD refers to GDPR for its definition of consent, it is a separate piece of legislation and many things that are true about GDPR are not true about ePD (such as being able to invoke Legitimate Interest instead of consent).
Sure, but when it comes to cookies, consent is almost always required on the GDPR basis (other legal basis are rarely working).
You're right to point to e-privacy, to which consent is central. But the latest draft of its new version states that (art.8):
1.The use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment, including about its software and hardware, other than by the end-user concerned shall be prohibited, except on the following grounds:
[...]
(d)it is necessary for audience measuring, provided that such measurement is carried out by the provider of the information society service requested by the end-user or by a third party, or by third parties jointly,on behalf of theone or more providersof the information society service provided that conditions laid down in Article 28, or where applicable Article 26,of Regulation (EU) 2016/679 are met
So Matomo can still do without the user consent (from what I understand, the relation between GDPR and e-privacy is no easy business).
> when it comes to cookies, consent is almost always required
We are in agreement. It seems I wasn't clear enough in my original post, but this is my overall point. GDPR doesn't require consent, but consent is required because of ePD.
> latest draft of its new version
> So Matomo can still do without the user consent
The new draft is not law yet. It's been 6 months away from passing for several years now. In the meantime, fines are still being issued under the existing law. Google got fined a hundred million euro last month in France, and that fine was very specifically ePD and not GDPR for a variety fo reasons.
> So Matomo can still do without the user consent (from what I understand, the relation between GDPR and e-privacy is no easy business).
It also depends on the jurisdiction. For example the ICO has been clear that using a cookie based analytics tool requires a GDPR level of consent, without exceptions.
This is not how the GDPR works. It lays out several legal basis for the collection of personal information, of which consent is one. There are others as well.
I'd have to re-read it to be sure about analytics cookies, but I don't think it says a whole lot about that off-hand. This the the ePrivacy directive.
I have setup a load balancer with 3 instances of matomo connected to one mysql database to handle tracking on a website with around 7000 visits a day. It could all probably be handled by just one instance but that is sort of the standard setup we have for things.
matomo is very comparable to google analytics in terms of reports. matomo has some things that seem a little easier to get to; like visitor flows.
However, matomo seems to just give up on big data, complex reports. Similar reports in google analytics take a long time to complete, 10 to 40 seconds, but they at least complete; eventually.
Isn't the performance limited my the MySQL database and not by the webserver? Wouldn't make more sense to have a cluster of three MySQL database instances and one matomo instance instead?
I used matomo once for a basic Wordpress blog (with cloudron) but for some reason it led to my site being flagged as distributing malware and I vanished from search engines. Apparently there is a Microsoft form you need to fill out to get unflagged where you explain what data your site is collecting but I just took the site offline because I was too busy to dig into it. Extremely annoying since the entire idea is to collect as little personal information as you can. It wasn’t matomo fault, its somebody’s dysfunctional web crawler bot auto generating reports
Offtopic: What is your experience with cloudron? Does it make it a lot easier to self-host apps, or the complexity/limitations it adds on top are not enough to justify using it?
Are these alternatives fully able to replace Google analytics?
I sort of thought Google analytics would tell you more about your visitors since with Google cookies, they could map them to other visited websites, centers of interest, age group, etc.
Are you loosing all that when switching to a less intrusive analytics platform such as this, or is Google analytics not leveraging their ability to disclose more about the visitors?
Google Analytics tells you more about your audience because it stalks people across the web. Matomo can never provide that without having a broad range of websites from which you collect data and writing custom code to annotate visitors with your own interest tags.
Matomo purely tracks analytics: who visited what page, for how long, from what device, from what location, from what inbound website, and what outbound links did they click. It also provides a log of pages requested per session so you can analyze people's flows through your website.
It's certainly not a replacement for Google Analytics if you use it to collect background information on your visitors. Even though Google's information is very broad (you mostly get ranges and the interests aren't that reliable), some marketeers use it to make decisions about their marketing strategies. Matomo won't help you there, your alternative would probably be Facebook or another big tech tracking solution.
It does provide a replacement for the type of tracking that I personally find acceptable, assuming the IP addresses are anonymized sufficiently. Matomo recommends shortening IP addresses to /16 after analysis, which I consider good enough, but that's a setting administrators can change.
What information exactly does GA tell you from stalking people across the web? I don't think Google sharing with you accurate information about the people visiting other websites would be completely legal (GDPR). Where exactly do you find this information in the dashboard?
It's off by default. Turning it on gives you basic demographic data but also means you consent to sharing your GA data with Google to use for advertising purposes.
Yes, that was my point, probably they get this data for themselves and improving their own services but as a webmaster you don't get all this data yourself.
Demographic data like: age (in buckets of 10 years), gender, household income for some countries, whether you're a parent [1] + Interests/"Affinities" [2]. I think these are derived from your Google search history and the sites you visit.
You do need to explicitly enable this in the GA dashboard, and ask users' consent under the GDPR.
Hey there, we are working on Pirsch [0] (another GA alternative).
If you can replace GA depends on your needs. GA collects more personal data, you get better insight of your audience. This is important if you do online marketing and like to see how well your campaigns perform. GA does track visitors across days and you can therefore see if someone came back after a week and made a purchase.
In case you don't do that or are simply not interested in specifics, all the alternatives are good enough right now, I think. You can still tell how visitors navigate your page, what content they visit most and all that stuff. We are currently thinking about what we can add to gain more insight for businesses, without invading privacy as Google does.
Only half the truth and a common misunderstanding. Define "visitor statistics". GDPR is about personal information, yes, but the cookie directive is also about tracking features in general. See the current so called "cookie verdict". To break it down: If you just count page impressions, you should be fine. Everything beyond is complicated. (Besides that, it does not matter where you host the data, on-premise or on foreign soil or if you use cookies or any other storing technology.)
29 euros a month for the managed, on-cloud version. Does anyone know inexpensive Google Analytics alternatives for small sites, that are hosted for you?
Any one know a node alternative to GA? Matomo is great, but for something like GA, node would be best option for handling large amount of http requests.
I started using Umami (Node/Next) to replace GA on my major site (70k/30days). It provides the data I care about seeing, and nothing more. Public preview: https://analytics.kbg.rip
Of course you don't have to have nodejs to handle large amounts of http requests, if you spend enough time you can get any language/framework to handle the amount you need :)
But, seems that at least in the TechEmpower framework benchmarks, es4x (JS) ends up on position 9 while the closest PHP framework ends up at 13. Now it's just a small benchmark with specific tests, but I do think it's easier to make NodeJS handle large amount of requests than PHP. Although again, you can definitely do large amounts of requests with PHP too. I've spent about 5 years on each, found that getting good performance out of V8 is easier than out of PHP.
While I agree that 1.7k issues are a lot, also keep in mind that there are 9.6k closed issues and they are bugs and feature requests over 11 years that never get closed as there might be someone else coming across some feature request one day who wants to implement it.
Fun fact that should be point out: Most of those issues and pr’s comes from core team members. There is almost no community around it, but looking at these numbers you get the impression that it is otherwise.
I think it's more a consequence of not tidying up. There are irrelevant issues open from 2008. On the other hand I prefer 1.7k issues to project where they aggressively auto-close tickets
if projects are given the option to 'auto-close' tickets (which honestly, I don't mind - having loads of open stuff can hamper finding more recent/useful info), wouldn't it be helpful to have filter to view 'auto-closed' tickets vs 'closed' tickets?
I say it's not completely open-source mainly because it's not free and people usually expect open-source to equal free.
Once you purchase it you get full access to the original server-side code (PHP, MySQL).
For the client-side part you only get the bundled JS/HTML/CSS (the original client-side source code is TypeScript, React), mostly because otherwise I would have to provide all the build tools and document better the code, tooling, building, releasing, etc.
> people usually expect open-source to equal free.
Open source has a specific meaning - is the Software released on an open source license. (https://opensource.org/licenses) For example if you pay enough, you get ms windows source as well - that doesn't make it "not completely open source". Your project doesn't seem to be open source at all.
Sorry for the misunderstanding then, I might be using the wrong terminology.
I have seen many other products that are marketed as "open source" because you get the source code after you purchase it, so it is literally "open source", but not "open-source" as in released under an open-source license.
I am personally not marketing userTrak as open-source and I will stop using similar terms if other people do have a strong opinion about what "open-source" actually means.
I think the term 'shared source' was coined to describe that particular business model (under certain conditions, the code is shared, and perhaps modifications may be allowed in some scenarios, but no redistribution).
From your license agreements (this language appears in all 3):
You are NOT allowed to:
Redistribute in any way any of the userTrack files or any parts of the userTrack's source code (with the exception of the public tracker JavaScript files that have to be included on your site).
Install userTrack on someone else's server.
Continue using userTrack or offering userTrack access to others after this license agreement has been voided (either via a refund, license period expiration or legal action).
This is not open source (or even "fair code" as redis etc advocate for). Providing the source but under a license like this is usually referred to as visible source or shared source
You are correct, I did confuse the terms "visible source" with "open source".
The way userTrack is currently distributed is as any other digital product (you pay for it and you are not allowed to sell or redistribute copies of it) with the mention that the server-side code is un-compiled and un-obfuscated so you can transparently see what it does, how it does it and change it if you want.
I am not sure that fully open-sourcing it is the way to go as I've seen so many projects die or disappear because the maintainers didn't have a lot of incentives to keep improving it or simply no longer had time to work on it. I also think that it's fair to pay for something that brings value to you also knowing that by paying for it you support its further development.
Thank you! userTrack was never free, but I did change the pricing model from lifetime, to yearly to now being one-time payment + yearly payments for updates.
I would love to make userTrack free if I can find a sustainable way to work on it. Most other similar open-source software offers a "hosted" version to get revenue, but my goal is to promote decentralization and self-hosting in general, so me focusing on the hosted version would go against my goal and beliefs. I really want to see a feature where any non-technical person can choose a few products and have them running on their own VPS/server in a few clicks. This would have many advantages for the clients AND for the developers:
* Clients pay a lot less for a products
* Developers must focus more on product and performance, leading to higher quality products.
* Hugely increased privacy for the average internet user and for the own data of the client using the product
* Better performance (each client has their own server so it is more likely to have more resources)
* Better latencies (each client can choose to use/host their product on a local datacenter)
* Better data transparency, easier migrations and fewer vendor lock-ins (if you own the server and the data on it you can most likely always export it in some form)
I think there are many other advantages for both companies and clients. The current SaaS environment makes it really easy for companies to ask huge amounts of money for services just because they want to, as the client has no real alternative unless he is really technical and can spend days installing and maintaining a self-hosted software that rarely gets updated.
Sorry if it seemed like I was complaining about the pricing change. I was just wondering whether I remembered it correctly from here (https://news.ycombinator.com/item?id=24207129)
No worries, I was just making the history of the pricing structure clear.
Thank you for the kind words, I do love working on this project and I hope to be able to continue working on it. Existing customers absolutely love it and keep recommending but I am still struggling with finding a pricing structure that makes sense for everyone.
I do hope that one day I will find a way to make userTrack free for everyone, but looking at Matomo, making it open-source seems to drastically slow the development of a project as there are so many people involved and so much more decisions to be taken. Apart from that I would still have to earn a living somehow, but if I get a job and keep userTrack open-source I won't be able to spend too much energy on maintaining it and I hate not being able to make a product as good as it can be.
A startup I worked with used Piwik(now Matomo) & defrauded investors with fake visits by tampering with the DB. Any VC should actively be involved & knowledgeable of analytics that is presented to you in order to avoid being ripped off.
I'm not sure if this is specific to Matomo. You could use headless agents over web proxies around the world to inflate Google Analytics as well. It just costs less to do it in your own DB.
I don't think that's always possible as it's a browser security limitation. The referring domain can decide to pass on only the domain, not the full URL.
I started writing a backend in Go.
So far it parses the request, turns it into a struct and saves it to mongodb. However 2 requests per page are recorded, no idea why that happens. One has 24 or 25 fields filled, the next 15-19 fields.
Anyhow that's as far as I got.
The next and largest step would be analyzing those records aka creating all those beautiful graphs.
Also creating a management interface for sites and generation of tracking code.
While it's open source (search for gopiwik) it still uses the mgo.v2 driver and I just yesterday added go module support and did some minor changes.
I thought, why reinvent the wheel, let's just grab the piwik.js and build a receiver. Turns out it's a bit more complicated than that.
What do you use to track whether your site is growing or shrinking in popularity? Server logs? If so, I’m curious whether not being able to filter out bot visits is a problem
Only thing that bothered me is that most Ad Blockers are blocking Matomo as well. I did build a little Script to circumvent that, you might find it handy as well: https://gumroad.com/l/matomo_circumvent_adblock
I use it on my website. Check if your ad blocker is capable of blocking it: https://simon-frey.com