Matomo 5.2.0 and 5.2.1

What’s new in Matomo 5.2.0 and 5.2.1

Matomo 5.2.0 and 5.2.1, our latest releases, bring improvements to security, privacy, and efficiency, and addresses several bug fixes.

Updates include a timestamp mechanism for secure On-Premise installations, PHP 8.4 compatibility, enhanced account security with password controls and login alerts, and a new Exclude Global List to filter sensitive Query URL parameters.
Matomo Tag Manager now also supports CMP tags and lets you copy containers, tags, and triggers for faster setup.

Security updates

Installer timestamp mechanism for a more secure On-Premise setup

A significant security improvement was added to the on-premise installation process to ensure your setup remains secure. To enhance security and prevent unauthorised access, the installer now records a timestamp upon first access, creating a time-limited installation window of 72 hours.

For flexibility, authorised users can manually reset this window if needed by following the instructions in the guide on how to manage secure access to the Matomo Installer.

PHP 8.4 compatibility for better performance and reliability

Matomo has been updated to ensure seamless compatibility with PHP 8.4, bringing enhancements that improve functionality, address deprecation warnings, and align with modern PHP standards. These updates ensure a smoother experience for users running the latest PHP version.

Enhanced Account Security

Password reset emails with links to cancel unauthorised requests

Matomo now includes a This Wasn’t Me link in password reset emails, providing users with an added layer of security and control. If a password reset request is accidental or unauthorised, users can cancel it instantly by invalidating the reset link. This enhancement strengthens account protection by ensuring that only legitimate password changes are processed.

Login alerts to secure your account from unauthorised access

An additional layer of security is added to automatically send email notifications to users whenever a login is detected from a country different from their previous login location. This feature helps users stay informed about potentially suspicious activity on their accounts. If the login is unauthorised, users are prompted to take immediate action, such as changing their password or contacting their administrator to secure their account.

An email notification to Matomo users if there are any unusual logins.

Exclude Global List to remove sensitive or unnecessary URL parameters for better privacy

In Measurables > Settings, the options for the Global list of Query URL parameters to exclude lets you refine your tracking and reporting by excluding unnecessary or sensitive parameters. With this feature, you can choose to exclude common session parameters, Matomo-recommended personally identifiable information (PII), or define custom exclusions.

matomo Global list of URL query parameters to exclude

Matomo Tag Manager

Consent Management Platform (CMP) tags for easier compliance and consent tracking

Matomo Tag Manager now includes new tags for Consent Management Platforms (CMPs), such as CookieYes, OneTrust, and Axeptio, making it easier to integrate and manage consent tracking. These CMP-specific tags help streamline compliance workflows by reducing manual configuration, ensuring accurate data tracking aligned with user consent preferences.

consent manager cmp tags in matomo tag manager

Copy containers, tags, and triggers to save time and ensure consistency

A new copy feature in Matomo Tag Manager allows users to effortlessly duplicate containers, tags, triggers, and variables, significantly speeding up configuration and setup. This feature is especially useful for users managing multiple websites or projects with similar tracking needs, as it eliminates repetitive manual work. By reusing pre-configured components, users can maintain consistency across implementations, reduce the risk of errors, and save valuable time.

After you update

  • Please help us spread the word! Maybe you can write about the project on your blog, website, twitter, talk at conferences or let your friends and colleagues know what is Matomo. Already 1,000,000+ websites are keeping full control of their web analytics with Matomo!
  • Use the forums if you have any question or feedback (free support),
    or purchase a Support Plan to get professional support and guidance.
  • To improve Matomo in your language consider contributing to translations.
  • You can also support our efforts by purchasing valuable Premium Features for Matomo or try our Matomo Cloud solution.

Database upgrade

This release does not contain any major database upgrade.

Need help upgrading Matomo?

Read the Updating Matomo user guide or for more help we offer paid support plans.

Tickets closed in Matomo 5.2.0

PHP 8.4

  • #22471 Ensure Matomo is functional with PHP 8.4. [by @sgiehl]
  • #22693 Explicitly mark parameters as nullable where necessary, eliminating deprecation warnings and ensuring compatibility with PHP 8.4. [by @sgiehl]
  • #22690 Replace the usage of Zend_Session_SaveHandler_Interface with the PHP built in interface SessionHandlerInterface, which can be directly passed to session_set_save_handler. [by @sgiehl]
  • #22667 Fixes for PHP 8.4. [by @sgiehl]
  • #22803 Correct EOL dates of PHP versions. [by @sgiehl]

Security

  • #22750 Enhanced security to manage secure access to the Matomo Installer. Learn more. [by @mneudert]
  • #9152 Matomo will notify users by email when a login is detected from a different country than the user’s usual login area. [by @michalkleiner]
  • #14543 Matomo now includes a This Wasn’t Me link in password reset emails, allowing users to cancel accidental or unauthorised password change requests by deleting the reset link from the database. [by @mneudert]
  • #22644 Improve handling for changing email of invited users where changing the email address of an invited user did not invalidate the original invitation link. [by @sgiehl]
  • #20716 Restricted the ability to write annotations to users with ‘Write’ permission and adjusted the API accordingly. [by @sgiehl]
  • #7029 Migrate from md5 to sha256 in config/manifest.inc.php to enhance security. [by @sgiehl]

Marketplace plugins

  • #22694 The marketplace cards now display the owner’s name for each plugin. [by @AltamashShaikh]
  • #21003 Add console plugin:install command to automate the process of fetching and installing the latest compatible version, replacing the manual wget-unzip method. [by @jsantos42]
  • #22559 Addressed performance slowdowns in the CustomVariables, Cohorts, and MarketingCampaignsReporting plugins by adding the ability to enforce index usage during log aggregation. [by @snake14]

User Interface

Admin settings

  • #18667 When setting up 2FA in Personal > Security, the QR code remains securely hidden and only displayed on the user’s request. [by @michalkleiner]
  • #22729 Introduce new configurable exclusion types for Global list of Query URL parameters to exclude. Users can choose which parameters to exclude from tracking and reporting. [by @caddoo]

All websites

  • #18978 Add Total Hits for all websites and Total Hits per site. [by @sgiehl]

General

  • #17784 Enhance the style for the AdBlock warning when starting the installation process. [by @AnandaCampelo]
  • #19779 Improve title of Ecommerce Overview widget in the dashboard. [by @tsteur]
  • #22668 Refine the workflow for number verification in mobile messaging and increase security on the code’s validity. [by @sgiehl]

Matomo Tag Manager

  • #22484 Enhance the website deletion process to help users manage and export associated Tag Manager containers. [by @AltamashShaikh]
  • #813 Improve the instructions displayed when installing Matomo Tag Manager. [by @snake14]
  • #910 Consent Management Platform tags for Axeptio, CookieYes, and OneTrust. [by @AltamashShaikh, based on work by OpenMost]
  • #911 Add introductory explainer text to the container dashboard screen. [by @AltamashShaikh]
  • #917 Implement a new copy feature for containers. [by @snake14]
  • #924 Implement a new copy feature for tags. [by @snake14]
  • #936 Implement a new copy for triggers and variables. [by @snake14]
  • #928 Disable the spell check in the Custom HTML tag > Custom HTML field. [by @AltamashShaikh]
  • #938 Add new in-app links to FAQs on how to copy containers, tags, triggers, and variables. [by @snake14]

Reports

  • #22646 Resolve correct handling of formulas in CSV export where website names starting with = and containing null bytes were not properly escaped in CSV exports. [by @sgiehl]
  • #22344 Add the evolution graph and the segmented visit log to the Referrer report in Acquisition > All Channels. [by @sgiehl]
  • #22552 Update the Annotation API to disable automatic sanitisation, manually sanitise notes before storage, limit annotation notes to 255 characters and add type hinting to ensure parameter correctness. [by @sgiehl]
  • #22462 Allow the sorting of email reports by description in API & UI. [by @sgiehl]
  • #22364 Added attribution information for eCommerce conversions to API responses and updated the visits log to display attribution details for all conversion types in the action tooltip. [by @sgiehl]
  • #22279 Allow alphabetical sorting of goals in Manage Goals and all Goal-related reports. [by @sgiehl]
  • #22473 Standardised the order of goals in reports by sorting them by ID, ensuring consistent display across databases and resolving test failures on TiDB. [by @sgiehl]

Database and configuration

  • #22634 The database collation is now written to the configuration to ensure consistency between the database connection and table collations, and to avoid issues when running the core:convert-to-utf8mb4 command. [by @sgiehl]
  • #22355 Refactored table optimisation logic to the Schema classes to account for differences in database engines (MySQL, MariaDB, TiDB). For TiDB, where table optimisation is not supported, the feature is now deactivated. [by @sgiehl]
  • #22271 Aligned table and database creation to ensure consistent collation across engines, addressing differences in sorting behavior between TiDB’s default utf8mb4_general_bin and MySQL’s utf8mb4_general_ci. [by @mneudert]
  • #22485 Ensure utf8 is always used for load data infile on TiDB to resolve compatibility issues with the latin1 charset. [by @sgiehl]

Feature Management and Release Process

  • #22221 Introduce a feature flag system to control the release of new features, ensuring stability by allowing code deployment without immediate visibility to users. [by @caddoo]
  • #22367 Introduce a workflow to automate preview releases, including version determination, testing, and publishing on success. [by @michalkleiner]

Developer tools and code standards

  • #22711 Update to use the automation user for committing built Vue files, ensuring that subsequent actions, such as tests, are triggered correctly after these commits. [by @sgiehl]
  • #22421 Aligned the project with the Matomo coding standards repository to ensure consistent code quality and formatting across the codebase. [by @sgiehl]
  • #22488 Test fixes for TiDb; improve test stability across DB engines. [by @sgiehl]
  • #22648 Improve console message handling by allowing single strings to be passed directly. [by @michalkleiner]
  • #22610 Update DOMPurify to 2.5.6. [by @sgiehl]
  • #22679 Enable automatic NPM updates using Dependabot, limited to minor and patch versions. [by @sgiehl]

Archiving improvements

Matomo introduces key enhancements to the archiving process to improve performance, reliability, and flexibility for both on-premise and cloud users:

  • #22546 Optimised segment archiving: The –skip-segments-today flag in the core:archive command now prevents invalidations for segments not only for the current day but also for higher periods (week, month, year). This ensures faster and more efficient archiving by skipping unnecessary updates. [by @sgiehl]
  • #22400 Smarter archiving for recent data: The system now avoids reprocessing yesterday’s data if an archive built after midnight already exists or if another archiving process started after midnight is still running. This reduces redundant work and speeds up archiving operations, particularly for users managing high-traffic environments. [by @sgiehl]
  • #22435 Configurable recovery for failed archiving: A new recovery timeout setting, archiving failure recovery timeout (in seconds), allows users to configure retries for interrupted archiving processes. This ensures that archiving can resume automatically after disruptions, enhancing reliability and minimising manual intervention. [by @sgiehl]

Tracking

  • #22728 Add 3D printing files to download extensions (STL, OBJ, 3MF and PLY. [by @nallath, @sgiehl]
  • #22549 Enable support for Chrome’s formFactors client hint in Matomo’s JavaScript Tracker. [by @sgiehl]
  • #22334 Updated the ResponseBuilder to return a 404 status code when a non-existing method is requested. [by @ BVancea25]

Tickets closed in Matomo 5.2.1

We are together creating the best open analytics platform in the world. You can help make Matomo even more awesome by getting involved.