Superusers can enhance account security by restricting the email domains that can log in to Matomo, and by monitoring inactive users. It is recommended to enable both settings to maintain tighter control over user access and reduce security risks from dormant accounts.

This guide explains how to restrict email domains and enable user inactivity alerts as part of your Matomo security configuration.

Restrict user accounts by allowed email domains

You can configure Matomo to allow only specific email domains when inviting users and for user login. This ensures that only users with email addresses from approved domains can access your Matomo instance.

Before you restrict email domains, review your existing user accounts. If some users currently log in with addresses from external or third-party providers (for example, personal email services), you need to update the user account’s email address before enforcing the restriction or add their email domain as an allowed domain.

  1. Log in to Matomo as a Superuser.
  2. Go to Administration Settings Cog Icon > System > General settings > Users Manager.
  3. In the Allowed Email Domains field, enter one or more allowed domains. The help text on the right will highlight which email domains are currently in use.
  4. Click Save.
    users manager allow email domain
  • All existing user email addresses must match one of the allowed domains added to the list.
  • When an email domain is in use but not added to the allowed list, users with that domain will not be able to log in.
  • If you do not configure allowed domains, Matomo will accept any email address during login or user creation.

Enable monthly alerts for inactive users

To further strengthen account security, Matomo can email a monthly list to all Superusers showing accounts that have been inactive for more than 180 days. This allows administrators to review and remove outdated or unnecessary accounts.

  1. Log in as a Superuser.
  2. Go to Administration Settings Cog Icon > System > General settings > Users Manager.
  3. To enable sending a monthly list, select the option Send monthly security email with list of inactive users.
    enable report on inactive users
  4. Click Save. When enabled, Matomo checks user activity dates automatically and compiles and sends a monthly list of inactive users.

Combining both settings to review unused user accounts and restrict access to approved organisation email domains provides additional measures to help secure Matomo. Explore related topics on security and user management.

Previous FAQ: How to enforce strong passwords for all users in Matomo