Repo Review: matomo-org/matomo

Review note: This analysis is based on repository metadata, documentation, and selected source files. It is not a full security audit. Confidence: high.

Quick facts

GitHub: matomo-org/matomo

Primary language: PHP

Stars: 21,459

License: GPL-3.0-or-later

Last updated: 2026-04-30T04:33:05Z

Documentation signal: excellent

Test signal: strong

Maintenance signal: active

What it is

Matomo, formerly Piwik, is one of the longest-running open-source web analytics platforms. It is a full-featured PHP and MySQL application that you install on your own server, add to sites with a JavaScript tracking tag, and use to collect real-time analytics reports while keeping control of the underlying data.

The project positions itself as a Free/Libre alternative to Google Analytics. That is not just a marketing line: the repository is GPL-3.0-or-later, the README emphasizes user data ownership, and the product has been around long enough to accumulate more than 30,000 commits, more than 21,000 GitHub stars, thousands of forks, a cloud offering, an on-premise support business, and an established security program.

Architecture and stack

Matomo is a traditional server-side web application rather than a lightweight analytics microservice. The core stack is PHP, MySQL or MariaDB, Composer-managed PHP dependencies, and a JavaScript/Vue/Twig frontend. The repository includes core application code, plugins, language files, JavaScript trackers, tests, configuration, and developer tooling.

The plugin model is central to the project. The README calls out that Matomo features are built inside plugins and that users can add, remove, or build features through that system. For an analytics product, that is a major architectural choice: it lets Matomo support broad use cases like ecommerce, goals, campaigns, segmentation, geolocation, reports, visitor logs, and real-time dashboards without making every installation identical.

Development tooling looks mature. The repo points developers to a DDEV environment, uses Composer for PHP dependencies, npm for frontend dependencies, PHPUnit, PHPStan, coding standards, Jest/Vue unit testing, GitHub Actions, BrowserStack-backed UI compatibility checks, and extensive translation management through Weblate.

What looks strong

Matomo's biggest strength is maturity. This is not a weekend analytics dashboard. It is a large, established product used across many real-world deployments, with a clear mission around data ownership and ethical analytics. The repository has active pushes, recent releases, signed release assets, a large community, and formal support channels.

The privacy posture is unusually explicit. PRIVACY.md documents IP anonymization, log deletion, opt-out support, Do Not Track handling, cookie disabling, access control concerns around visitor details, and ways to keep the Matomo server URL private. That does not make every Matomo installation automatically privacy-perfect, but it gives administrators knobs and documentation for responsible operation.

Security also appears to be treated as a first-class concern. SECURITY.md describes a HackerOne bug bounty, rewards for critical and high-impact issues, responsible disclosure by email, server hardening documentation, and security release announcements. For a self-hosted analytics app that stores sensitive behavioral data, this matters a lot.

The test and QA story is strong by open-source web app standards. The README mentions thousands of unit tests and hundreds of automated integration, system, JavaScript, and screenshot UI tests, plus CI and BrowserStack compatibility testing. I did not run those tests, but the stated QA surface is appropriate for a project of this size.

Tradeoffs and risks

Matomo's maturity comes with weight. It is a broad PHP/MySQL application with a long history, a plugin ecosystem, frontend build tooling, and operational concerns around database growth, backups, retention, upgrades, and security hardening. If you only need a tiny pageview counter, Matomo is probably more platform than you need.

The open issue count is high, with GitHub reporting more than 2,500 open issues at review time. For a project this old and widely used, that is not automatically alarming, but it does mean adopters should check whether their target use case has unresolved bugs or compatibility issues before committing.

Matomo's default behavior and privacy controls require administrator choices. The privacy document notes that IP addresses are stored by default, tracked data is stored forever by default, and cookies are used by default unless disabled. The product offers privacy-preserving options, but responsible deployments still need configuration decisions rather than blind installation.

The GPL-3.0-or-later license is a positive signal for software freedom, but it is also something organizations should understand before modifying and redistributing Matomo or integrating it into packaged products.

Who should try it

Matomo is a strong fit for organizations that want serious web analytics without giving Google or another third party control over the data. It is especially relevant for privacy-conscious companies, public sector teams, regulated environments, agencies managing client analytics, and self-hosters who are comfortable operating a real web application and database.

It is less ideal for teams that want near-zero maintenance, minimal infrastructure, or only basic aggregate analytics. Those users may prefer a hosted Matomo Cloud plan, a smaller self-hosted analytics tool, or a managed product depending on budget and privacy requirements.

Bottom line

Matomo is the reference point for mature open-source web analytics. Compared with newer analytics projects, it is heavier and more traditional, but it also has the history, feature breadth, QA investment, plugin architecture, support ecosystem, and privacy/security documentation that newer tools often lack.

My read: if you want a battle-tested, self-hostable Google Analytics alternative and you are prepared to operate a PHP/MySQL application responsibly, Matomo deserves to be near the top of the shortlist. If you want the smallest possible analytics footprint, it may be too much.

Limitations

I reviewed public repository metadata, README content, Composer and npm manifests, privacy and security documents, and release metadata, but did not deploy Matomo or run its upstream test suite.

Matomo has a large plugin ecosystem and commercial cloud/on-premise offerings; this review focuses on the main open-source repository, not every plugin or product tier.

The repository has a very large issue backlog, so open issue count should be interpreted alongside the project's age, scale, and user base rather than as a simple quality signal.