Matomo 4.12.0

We are proud to announce Matomo 4.12.0: a new release of Matomo Analytics.

What’s new?

This is a maintenance release improving the stability, reliability and security of Matomo. Important features have been added to ensure Matomo works well with modern browsers, including supporting Client Hints and a new approach to allowing users to opt-out of tracking that doesn’t use iFrames. In Matomo 4.11.0 we introduced a new, more secure approach to adding new users by sending them an email with a link to accept your invite. In Matomo 4.12.0 you can now access the link to accept the invite with « Copy Link » button.

We are grateful for all community members who reported feedback and suggestions, our awesome team of translators for their work, and our Premium features customers and Matomo Cloud hosting customers for their amazing support.

142 tickets have been closed by more than 20 contributors!

After You Update

• Please help us spread the word! Maybe you can write about the project on your blog, website, twitter, talk at conferences or let your friends and colleagues know what is Matomo. Already 1,000,000+ websites are keeping full control of their web analytics with Matomo!
• Use the forums if you have any question or feedback (free support),
  or purchase a Support Plan to get professional support and guidance.
• To improve Matomo in your language consider contributing to translations.
• You can also support our efforts by purchasing valuable Premium Features for Matomo or try our Matomo Cloud solution.

Security release

This is a major security release.

Several moderate and low impact security fixes are included in this release. Moderate impact fixes include preventing an XSS vulnerability when using the Widgetize plugin – it was possible to inject javascript code through angular template injection, and an issue where an anonymous user could export a CSV report which, when imported in Microsoft Excel or similar applications could inject commands into reports.

Low impact security improvements include checking the two factor authentication (2FA) status of API requests made by the current session using `token_auth`, and extra escaping in the Overlay module to prevent a possible XSS attack.

These issues were responsibly disclosed to our Security team. Our security bug bounty program welcomes & rewards researchers who discover and responsibly report to us any security issues found in Matomo or any of the plugins created by Matomo/InnoCraft.

Database upgrade

This release does not contain any major database upgrade.

Platform Changes

Matomo is an open analytics platform. In an effort to help Matomo developers learn about improvements and changes in the core APIs, we document the changes since the last release.

In this 4.12.0 release there are breaking changes, new PHP Events, new Javascript Tracker API options, and new Privacy opt-out options. Read more in Platform Changelog for Developers to see all changes to the platform and APIs.

Note: the Marketplace showcases more than 90 plugins already compatible with Matomo and this is just the beginning. Matomo is your universal data analytics platform!

New and updated SDKs (Tracking API Clients)

The Matomo team offers official SDKs (Tracking API Clients) for measuring your mobile apps and any other kind of apps.

• iOS SDK [by @brototyp]
• Android SDK [by @d4rken]

New and updated guides and FAQs

New:

• Valid dimension-metric combinations
• Migrate from Google Analytics 3 to Matomo
• Increase the number of form tracking requests allowed in a single view
• Migrating from Google Tag Manager
• Matomo Cloud API usage limits
• Which plugin should I use with WordPress?
• How to manually apply database updates for a new Matomo version

Updated:

• Setting up a Google Analytics Import

Need help upgrading Matomo?

Read the Updating Matomo user guide or for more help we offer paid support plans.

List of 142 tickets closed in Matomo 4.12.0

matomo-org/matomo
• #16125 Support Sec-CH-UA Client Hints in addition to UserAgent [by @justinvelluppillai, @sgiehl]
• #17452 Offer opt out without iframe / 3rd party cookies [by @bx80]
• #19233 Handle 429 response code within UI [by @peterhashair]
• #19028 Have a message in the UI after install saying this plugin does not track to Cloud [by @sgiehl]
• #19525 Improve password confirmation in UI & API [by @sgiehl]
• #15262 Fix average order value graph flattening out to value 0 [by @bx80]
• #19540 Fix sizing of subtables with different column count [by @sgiehl]
• #15924 Ensure download urls are encoded correctly in visits log [by @sgiehl]
• #18766 Show the selected conversion rate on Goals->Overview evolution graph [by @peterhashair]
• #18781 Show correct « Rows to display » on Evolution graph [by @peterhashair]
• #19335 Improve password confirmation in UI & API [by @sgiehl]
• #19485 Fixes Goal row evolution with double quotes in the goal name resulting in an error [by @sgiehl]
• #19550 Ensure API requests with session auth check 2fa status [by @sgiehl, @peterhashair]
• #19586 Require password confirmation when removing users through UI [by @sgiehl]
• #19591 Require password confirmation when removing a site in UI [by @sgiehl]
• #19598 Use brute force detection for reset password action [by @sgiehl]
• #19611 Require password confirmation when inviting a user in UI [by @sgiehl, @bx80]
• #19302 Provide possibility to configure referrer exclusion list [by @sgiehl]
• #19387 Fixes glossary navigation [by @ulcuber, @sgiehl]
• #19530 Allow custom cookie expiry date for `optUserOut()` & `forgetUserOptOut()` functions [by @futureweb]
• #19572 Add config option for database errors to ignore during updates [by @bx80]
• #18750 Improve role/capability handling in usermanager [by @sgiehl]
• #19254 Fix adjacent elements to dashboard-dropdown-menu-modal overlapping on narrower screens [by @peterhashair]
• #19632 Fix CSP header when viewing plugin details [by @sgiehl, @justinvelluppillai]
• #19446 Fixes different height of selectors [by @ulcuber, @sgiehl]
• #19456 Fixes icon-menu-hamburger size [by @ulcuber, @sgiehl]
• #12024 Improve URL detection in mod_pagespeed check [by @sgiehl]
• #19319 Fix problem with too long browser version [by @sgiehl]
• #19323 Attempt to handle incorrectly prefixed region codes [by @sgiehl]
• #19346 Fix FAQ links using # in the link no longer working [by @Starker3]
• #19354 Improve reset password email formatting to fix broken link [by @bx80]
• #19360 Fix number formatting in additional Y axis in (evolution) charts [by @sgiehl]
• #19393 Fix date range handling to prevent evolution graph display being confused when changing the period [by @sgiehl]
• #19508 Fixed incorrect Cuban province names on visitor map [by @bx80, @sgiehl]
• #19569 Fix for current year not processed for new custom reports [by @bx80, @sgiehl]
• #19588 Fix placing series / series picker in charts [by @sgiehl]
• #19615 Fix for page goals visualization showing hits instead of visits [by @bx80]
• #19269 Include conversion attribution in visitor details [by @sgiehl]
• #19308 Improve debugging via Vardumper overriding [by @ulcuber, @sgiehl]
• #19333 Login plugin language reworked [by @comradekingu, @justinvelluppillai]
• #19363 Setting prepare callback before validation [by @ulcuber, @justinvelluppillai]
• #19374 Fix typo in Revenue Entry Documentation translation string [by @ulcuber, @justinvelluppillai]
• #19385 Added translation keys for scope titles in custom dimensions [by @ulcuber, @sgiehl]
• #19420 Implement url parameter to ignore referrer [by @sgiehl]
• #19454 Full width field in settings [by @ulcuber, @sgiehl]
• #19458 Add TikTok to socical networks [by @sgiehl]
• #19491 Allow reading consent removed cookie even if cookies are disabled [by @sgiehl]
• #19510 Update outdated FAQ and Guide links [by @Starker3, @sgiehl]
• #19517 Exclude paypal as referrer in javascript tracker [by @sgiehl, @justinvelluppillai]
• #19527 Update HTTPs security check, when client is using HTTP just throw a warning on diagnostic [by @peterhashair]
• #19532 Implement cookie expire time – forgetConsentGiven [by @futureweb, @sgiehl]
• #19594 Do not accept invalid SSL certificates for requests to ASPSMS and Clockwork [by @sgiehl, @bx80]
• #19673 Adds Microsoft and Yandex click ids to default query parameters exclusion list [by @AltamashShaikh, @sgiehl]
matomo-org/tag-manager
• #503 Add support for `data-matomo-mask` attribute on events [by @snake14]
• #519 Prevent possible XSS via changeDebugUrl [by @AltamashShaikh]
• #249 Add description/comment field to Tags/Triggers/Variables for better documentation of functionality [by @snake14]
• #543 Handle Click Events correctly in shadowDOM (web components) [by @multikoop]
• #334 Added goal revenue field to tag edit view [by @snake14]
• #314 Fixed issue when renaming Matomo Configuration variable, its name is not propagated to the tags using it [by @snake14]
• #511 Improve Start and end date for Tags handling of timezone [by @AltamashShaikh]
• #326 Fix for Tagmanager working along with CSP when triggering a HTML tag [by @snake14]
• #495 Show info icon documentation links when defining triggers [by @snake14]
• #504 Fixes UI issue by setting container selector max width [by @ulcuber]
• #541 Add a link to the documentation about the datalayer when the container tracking code is shown [by @snake14]
matomo-org/tracker-proxy
• #77 Update # FAQ Links to match new knowledge base structure [by @Starker3, @sgiehl]
matomo-org/matomo-php-tracker
• #104 Adds support for client hints [by @sgiehl]
matomo-org/device-detector
• #7082 Add detection for postmarket os
• #7129 Detect new brands: Intel, PlusStyle, New Bridge, ZIK, Famous, Facetel, HLLO, LNMBBS, Quest, SNAMI, TeachTouch, YUMKEM, TTK-TV, Emporia, GEOZON, iReplace, actiMirror [by @sanchezzzhak, @sgiehl]
• #7134 Detect devices for several existing brands – Acer, Ulefone, Vodafone, Sony, Xiaomi [by @sanchezzzhak, @sgiehl]
• #7137 Detect devices for existing brands – RoyQueen, Sico, Digicel, Xolo [by @sanchezzzhak, @sgiehl]
• #7138 Fix version truncation for client hints [by @sgiehl]
• #7140 Detect devices for existing brands – Samsung, QMovile, MyPhone, Huawei [by @sanchezzzhak, @sgiehl]
• #7141 Detect Petal Search app and Detect Nova 9 SE device for Huawei brand [by @sanchezzzhak, @sgiehl]
• #7142 Detect devices for existing brands – Nubia, Stylo, Kivi and others [by @sanchezzzhak, @sgiehl]
• #7143 Add bots: aiHitBot, ADmantX Service Fetcher, DomainCrawler, DNSResearchBot, AdAuth, Faveeo, Kozmonavt, CriteoBot
• #7144 Detect bots: aiHitBot, ADmantX Service Fetcher, DomainCrawler, DNSResearchBot, AdAuth, Faveeo, Kozmonavt, CriteoBot [by @sanchezzzhak, @sgiehl]
• #7145 Detect devices for existing brands – FiGi, Xiaomi, Hotwav, FiGi [by @sanchezzzhak, @sgiehl]
• #7147 Detect devices for existing brands – Cherry Mobile, Alcatel, Panasonic, Symphony and others [by @sanchezzzhak, @sgiehl]
• #7148 Add detection LastMod Bot [by @abordage, @sanchezzzhak]
• #7149 Detect app Snapchat for Android [by @juliamatsak, @sanchezzzhak]
• #7150 Detect devices for existing brands – Artel, Allview, Sony, F2 Mobile and others [by @sanchezzzhak, @sgiehl]
• #7151 Improve performance by skipping device parse if useragent matches desktop pattern [by @sanchezzzhak, @sgiehl]
• #7152 Detect devices for existing brands – Sharp, Hyundai, Starmobile [by @sanchezzzhak, @sgiehl]
• #7154 Detect devices for existing brands – Infinix, iBrit, Vivax, Karbonn [by @sanchezzzhak, @sgiehl]
• #7155 Detect devices for existing brands – Motorola, QMobile, Infinix and others [by @sanchezzzhak, @sgiehl]
• #7156 Adds detection for apps – Amazon shopping, Snapchat, OkHttp, PayPal IPN and others [by @liviuconcioiu, @sanchezzzhak]
• #7158 Added Internet Browser Secure, Hexa Web Browser, Browspeed Browser to available browsers [by @sanchezzzhak, @sgiehl]
• #7160 Detect devices for existing brands – Winnovo, Samsung, Realme, Maxtron and others [by @sanchezzzhak, @sgiehl]
• #7161 Detect devices for existing brands – iHunt, Aspera, Pixelbook, QMobile [by @sanchezzzhak, @sgiehl]
• #7162 Improves version detection for iOS, macOS and tvOS [by @liviuconcioiu, @sanchezzzhak]
• #7163 Improves version detection for iPadOS [by @liviuconcioiu, @sanchezzzhak]
• #7164 Detect devices for existing brands – QMobile, Fero, Blu, Hometech, Infinix [by @sanchezzzhak, @sgiehl]
• #7165 Adds detection for various apps and browsers [by @liviuconcioiu, @sanchezzzhak]
• #7166 Detect browsers: Rabbit Private Browser, Office Browser, Lynket Browser, Vivid Browser Mini, Yo Browser, Yuzu Browser, BF Browser, G Browser [by @sanchezzzhak, @sgiehl]
• #7167 Adds detection for Nova and improves version detection for Fedora, iOS, macOS, Mandriva, Mint operating systems [by @liviuconcioiu, @sanchezzzhak]
• #7168 Adds detection for various bots and apps [by @liviuconcioiu, @sanchezzzhak]
• #7169 Adds detection for Keepsafe Browser, Inspect Browser and improves detection for Seznam Browser [by @liviuconcioiu, @sanchezzzhak]
• #7171 Detect devices – ClearPHONE, Mintt, Sky Elite D5, and others [by @liviuconcioiu, @sanchezzzhak]
• #7176 Detect devices for existing brands – Hardkernel, Blu, AT&T, Vivo [by @sanchezzzhak, @sgiehl]
• #7177 Detect devices for existing brands [by @sanchezzzhak, @sgiehl]
• #7178 Detect devices Logic L4T, Mastertech, and others [by @liviuconcioiu, @sanchezzzhak]
• #7179 Adds detection for various devices and improves os detection [by @liviuconcioiu, @sanchezzzhak]
• #7181 Rename Oculus brand to Meta and improves detection for Meta Quest 2 [by @liviuconcioiu, @sanchezzzhak]
• #7182 Adds detection for Seolyt Bot [by @liviuconcioiu, @sanchezzzhak]
• #7183 Detect devices for existing brands and new brands – Unistrong, Equator, AXXA [by @sanchezzzhak, @sgiehl]
• #7184 Detect devices for existing and new brands – D-Tech, OneClick [by @sanchezzzhak, @sgiehl]
• #7186 Detect devices for existing and new brand – iXTech [by @sanchezzzhak, @sgiehl]
• #7187 Detect devices for existing and new brands – BlueSky, Legend, Vue Micro [by @sanchezzzhak, @sgiehl]
• #7190 Detect devices for existing and new brands – NTT West, JREN, Tibuta, ATOL, FILIX [by @sanchezzzhak, @sgiehl]
• #7191 Adds detection for LinkWalker bot
• #7193 Optimise devices detection for apple [by @sanchezzzhak]
• #7194 Detect Container-related tools
• #7197 Detect new browsers and apps – Tint Browser, hola!, RedReader [by @sanchezzzhak]
• #7198 Adds detection for RouterOS [by @liviuconcioiu, @sanchezzzhak]
• #7199 Adds detection for INETDEX-BOT and NETZZAPPEN [by @liviuconcioiu, @sanchezzzhak]
• #7201 Detect devices for existing and new brands – HexaByte, CipherLab, BrandCode, Lumitel, Elevate [by @sanchezzzhak]
• #7202 Detect mobile app for Microsoft Office Access [by @sanchezzzhak, @sgiehl]
• #7203 Improves detection for Fairphone devices and Atom, Ecosia, Iridium browsers [by @liviuconcioiu, @sgiehl]
• #7204 Various consumer electronics detected as bots
• #7206 Improves detection for Google and Roku devices [by @liviuconcioiu, @sanchezzzhak]
• #7208 Detect devices for existing and new brands – Ceibal, Weelikeit [by @sanchezzzhak, @sgiehl]
• #7209 Improves client hints version detection for Atom, hola! Browser, Opera, Smart Lenovo Browser [by @liviuconcioiu, @sanchezzzhak]
• #7211 Detect devices for existing and new brands – Boost, Orbsmart, TOX [by @sanchezzzhak, @sgiehl]
• #7212 Adds detection for Panscient bot [by @liviuconcioiu, @sanchezzzhak]
• #7213 Detect devices for existing and new brands – HiHi, M3 Mobile, Hugerock, Coopers [by @sanchezzzhak, @sgiehl]
• #7215 Detect devices for existing and new brands – iStar, ENIE, Dcode [by @sanchezzzhak, @sgiehl]
• #7216 Adds detection for Smart Kassel, X96Q brands and improves detection for various browsers, os, libraries [by @liviuconcioiu, @sanchezzzhak]
• #7217 Adds detection for Amerigo, Internet Browser Private, 18+ Privacy, Beyond Private, Black Lion [by @liviuconcioiu, @sanchezzzhak]
• #7218 Adds detection for Wiseiplay, Always Safe Security 24, Zoe Business [by @liviuconcioiu, @sanchezzzhak]
• #7219 Detect devices for existing and new brands – Stream [by @sanchezzzhak, @sgiehl]
• #7220 Detect Open Browser fast 5G [by @Simbiat, @sanchezzzhak]
• #7221 Adds detection for various apps [by @liviuconcioiu, @sanchezzzhak]
• #7222 Adds detection for various browsers [by @liviuconcioiu, @sanchezzzhak]
• #7227 Detect browsers for ClientHints [by @sanchezzzhak]
matomo-org/referrer-spam-list
• #1323 Add ucban.xyz [by @ericguirbal, @spmedia]
• #1324 Add hrtonline.xyz [by @ericguirbal, @spmedia]
• #1325 Add mytraffic.shop, supertraffic.xyz, trafficdrive.club [by @seoMattH, @spmedia]
• #1326 Add bottraffic329.xyz [by @djprecious, @spmedia]
• #1327 Add getbottraffic4free.xyz [by @djprecious, @spmedia]
• #1328 Add goyua.xyz [by @ericguirbal, @spmedia]
• #1329 Add nanwar.xyz [by @ericguirbal, @spmedia]
• #1330 Add qtrstar.xyz [by @ericguirbal, @spmedia]
matomo-org/searchengine-and-social-list
• #83 Adds TikTok to social networks [by @sgiehl]

We are together creating the best open analytics platform in the world. You can help make Matomo even more awesome by getting involved in Matomo!