Support » Plugin: Google Analytics for WordPress by MonsterInsights » This Plugin HAS A HUGE Security Flaw.. No Answer Yet???

Viewing 5 replies - 1 through 5 (of 5 total)
  • esmi


    Forum Moderator

    Please contact plugins at wordpress dot org with full details.

    I don’t think this is a security flaw with this plugin as much as it is your agencies misunderstanding of how Google Analytics (GA) new interface works.

    If I understand you correctly,
    – You Build a Site, add client GA tracking number to your agency GA account, then install (GA) tracking number (UA-XXXXXX-X) through this plugin
    – Hand the site over

    This is where I think the mistake is, if I understand you post correctly.

    Installing the tracking should be done by your agency of course, but with the new owner/companies email and their own account with Google Analytics.
    On their (clients)(GA) account you must add your agencies account email information in the ‘Account Permissions’ under the ‘User Management’. Your agency email will get a confirmation email to link to the client (GA) account. From there, you can now see your clients analytic reports from your own agency (GA) page and they can not see any other customer sites analytics.

    By installing GA on your agencies account and then assigning your clients email to see their analytics is fundamentally backwards and would create that ‘security flaw’ you are concerned with.

    I hope that helps you.

    FYI Google is doing training on GA starting next week on 10/8/2013, for more info go to

    I wish would add a LIKE button because SoCalCreation’s reply is perfect.

    The GA plugin by Yoast is excellent.

    I am also having this problem. I chose my own profile, and now my client sees my sites. There is no way to remove it, not even by uninstalling and deleting the plugin. Where is this plugin storing my auth token? I have tried many sql queries, including

    select option_value from wp_options where option_value like '%google%';

    Which I thought would at least return something, but there is nothing. Please respond. I must remove my Google Analytics API auth token from my site. I have even disabled the app in my Google account security settings, and this plugin is still displaying the GA accounts from my profile, despite that I have denied it the privilege of doing this. I have emptied cache/cookies.

    If you think this is not a security problem, then please reconsider that it continues to access information from my profile without having approval, leaving no obvious way to remove it. All I ask is show me how to remove the auth token, and perhaps consider adding some options in the dashboard to purge that data.




    Forum Moderator

    @webavant: As per the Forum Welcome, please post your own topic.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘This Plugin HAS A HUGE Security Flaw.. No Answer Yet???’ is closed to new replies.