Hacker News new | ask | show | jobs
by gk1 3996 days ago
I do marketing ops consulting and see this stuff all the time. First, let's get two things out of the way:

1. Yes, Google Analytics can be quite useless if you keep default settings with no configuration.

2. That doesn't mean you should jump straight to a self-hosted solution, or a paid solution, or throw up your hands and say "it'll never be accurate."

For most use cases, GA is more than good enough to measure effectiveness of online marketing efforts. Dismissing it outright in favor of a paid or self-hosted option just because you didn't google "how to prevent analytics hijacking" is bad decision-making.

/rant

Now on to the fix...

You can create a filter in your GA view settings to ignore tracking calls from any hostname other than your own. See here: https://support.google.com/analytics/answer/1033162?hl=en

PS - No client-side analytics will ever be 100% accurate, certainly not GA. But for the purposes of measuring marketing efforts and results, you can have greater tolerances. It's a tool for marketing, not logging.
3 comments
lettergram 3996 days ago
I would also add that once you set up google analytics correctly, it should be a good measure of month-to-month or day-to-day improvement(s) (within some error bound).
link
nicgutierrez 3996 days ago
Good point. What about the PHP SDK though?
link
goferito 3996 days ago
Hostname can also be easily faked
link
magicalist 3996 days ago
That's true, but at that point you're really asking if it's possible to send JavaScript to an attacker to run and have them not be able to arbitrarily alter what that code does. In which case the answer is of course not, regardless of what the code is.

Usually the answer is gk1's above and keeping an eye on server logs to see if they match up with the client analytics data you're getting. You can even have events sent from both in GA or Piwik or whatever so you can compare them in the same UI, looking at e.g. event flow so that everyone who loaded some data first triggered a fetch event on the server for that data. Of course then your attacker can just get a botnet to start mindlessly doing page views of your site...

link
shampine 3996 days ago
You also need to add regex filters for Campaign Source like:

"semalt\.|social.?buttons\.|hulfingtonpost\.|best-seo-(solution|offer|service)|free.traffic|buy-cheap-online|prodvigator|cenokos\.|ranksonic\.|adcash\.|share.?buttons\.|blackhatworth|buttons-for.?website|darodar\.|100dollars-seo"

To help keep down the spam.

link