Ever noticed tracking requests that look unnatural or originated from locations you wouldn't expect to get visits from?

These tracking requests may be caused by spammers or bots and make your data less accurate. The only thing that is worse than having no data is inaccurate data.

This plugin offers various options to fight spam and bots, so you can rely on your data:

1. Block requests from cloud providers

When enabled, this plugin will automatically detect IP addresses used by popular cloud providers like AWS, Azure, Digital Ocean, Google Cloud and Oracle Cloud.

When a tracking request matches such an IP address, then the tracking request will be blocked. Additionally, some Cloud providers like Alibaba Cloud may be detected using the geolocation database (requires eg DB-IP City DB).

If you are only tracking using the JavaScript tracker then this should be a safe feature to enable as tracking requests from humans would not originate from these clouds.

If you are sending tracking requests from a cloud server, then you can also configure IP addresses that are always allowed, so you can still use this feature.

2. Block requests from headless browsers

When enabled, this plugin detects the most popular headless browsers and block tracking requests that originate from a headless browser.

Headless browsers are browsers without a user interface and are mostly used for automation. Regular visitors would not use such a browser. It can block additional bots and spam requests that otherwise would not be detected.

It cannot detect a headless browser when the user agent is customised. Often, we can detect them though.

3. Restrict number of actions per visit

When enabled, you can configure how many actions a visit should max have.

Most sites, under normal circumstances, may have no more than 100 or 200 or 300 actions within one visit. In many cases it might be therefore safe to assume that if someone has caused more than the configured amount of actions, it might be a spammer, or a bot, or something else unnatural causing these actions.

Matomo will in this case stop recording further actions for that visit to have less inaccurate data and to reduce server load. The IP address of this visit will then be blocked for up to 24 hours.

You can also be notified by email when an IP address is banned because a visit had too many actions.

4. Exclude countries

This feature lets you configure to only accept tracking requests for visitors from specific countries. For example, if you have a German website, then it might be unexpected to have any legit visitors from a country outside of Europe meaning a visitor is likely a spammer or a bot in this case. By only tracking visitors from certain countries you can easily avoid a lot of potential spam and bots plus you might also avoid needing to be compliant with certain privacy laws.

5. Referrer spam

This feature is not part of this plugin but part of Matomo core. Matomo maintains a list of spam referrers and Matomo will block tracking requests when such a referrer is detected.

Recommended other features

You might also want to configure to track only URLs that belong to your website. This way any URL that does not belong to your website will not be tracked. This feature is part of Matomo core.

Privacy

The plugin does not send any information of your visitors to another server. If you enable the "block requests from cloud providers" feature, then your server will download up to date IP ranges from cloud providers directly and store the information in your database.

How do I allow specific IPs to not be blocked?

Say you are using AWS to replay your traffic using log analytics. When you have the block clouds feature enabled, all the requests from your AWS would be blocked. However, you can specifically allow your own IPs to be allowed and not blocked by editing your config/config.ini.php file and configuring a list of allowed IP ranges like this:

[TrackingSpamPrevention]
iprange_allowlist[] = "127.0.0.1/32"
iprange_allowlist[] = "192.168.0.0/21"

Make sure to enter a valid IP range.

What happens when it fails to synchronise public IPs from cloud providers?

Any error is currently ignored and if it does not synchronise successfully, then the IP for the provider that failed are not synced.

To be aware when such an error happens you can enable the following setting:

[TrackingSpamPrevention]
block_cloud_sync_throw_exception_on_error = 1

It is disabled by default as it could stop other scheduled tasks from being executed.

How can I block specific organisations from being tracked?

This can be useful if you are receiving spam requests from a provider that isn't automatically detected yet by this plugin.

For this to work the "Block cloud provider" setting must be enabled and a geolocation provider must be enabled.

You can block any organisation (if the geolocation database you are using includes this information) like this:

[TrackingSpamPrevention]
block_geoip_organisations[] = "ExampleOrg"
block_geoip_organisations[] = "another example"

Each organisation will be compared lower case and the organisation only needs to contain the configured value, it does not need to match it exactly.

You can find out the organisation name for an IP address by visiting the website of your geolocation database and using their demo tool.

  • Settings

  • Settings Country


Please share