It recently occurred to me when I was in a particularly devious mood that because Google Analytics is entirely driven off of JavaScript, anyone who knows how to view your page source can see what UA number is being passed to Google. Armed with that knowledge, someone could sabotage your site’s data by maliciously using your Google Analytics UA number on their site.

Why anyone would do this is beyond me. The thought occurred while I was upgrading State Supply’s legacy Analytics JS implementation with Google’s newer Universal Analytics. I immediately got a weird feeling about the issue and turned to a tool that I rarely use in Google Analytics, filters.

Typically when filtering data In Google Analytics I use segments. Almost everything that you can accomplish with a filter can be done with a segment… almost. The difference between filters and segments is that filters are destructive and segments are non-destructive. Filters are used when the objective is to prevent data from ever entering Google Analytics (to “filter” it), while segments are used to slice and dice data that exists within Google Analytics (to “segment” it).

Segments are generally the way to go when analyzing data in Google Analytics. However, there are circumstances where you could should use filters. The most common use case for filters is preventing visits to your website from specific IP addresses (your home, work, etc). A filter in this case makes sense because you don’t want your own traffic polluting the data pool.

You probably have an idea now where I am going with this. Because filters are destructive, we can use them to remedy the aforementioned problem. One of the ways to do this is to create an Include only filter for your site’s hostname. Yes, someone could easily get around this. But since they have no idea that the filter exists, I think it’s a pretty good solution.

To my amazement I have yet to come across this solution in any Google Analytics training. I have not even heard the problem addressed! While a lot of training covers how to use and implement filters, no training (that I know of) explores the security opportunities that filters provide. So, let’s plug this [potential] data threat by creating a filter to only include data from our site’s hostname.

  1. Find your hostname using the JavaScript console in your web browser. Type window.location.hostname in to the console and it will return your hostname.

    Screenshot of JavaScript console returning a website's hostname
    Website Hostname
  2. Click the Filters link in the Google Analytics admin for the specific view that you wish to create the filter on.

    Note: If you only have a single view for your web property, you should create a new view. You should always retain a raw view without any filters applied — remember, filters are destructive!

    Screenshot of the Google Analytics admin with the Filters link circled
    Google Analytics Admin
  3. You will now see a table with all of the filters for the view. Click the New Filter button.

    Screenshot of the Google Analytics filters for the current view
    Current Filters
  4. Specify a Filter Name and update filter options as follows:

    • Include Only
    • traffic to the hostname
    • that are equal to
    • Enter your Hostname using the value that was returned to the JavaScript console in step 1.

    Screenshot of Google Analytics new filter page
    Create Filter
  5. Click Save and be protected.

Posted by: John Dugan