Most of the time this warning is displayed, just after you have just migrated Piwik to a new URL or server, and the new hostname you use will not be the same as the stored one. In this case, ask your Piwik Administrator to update the Piwik Hostname in Settings > General Settings.

(for geeks only) How does this message improve security?

This warning is a security feature Piwik provides to make Piwik more robust and prevent the so-called “Host Injection” vulnerability. Attackers could try to send fake hostnames to Piwik in an attempt to get users to reset their password through an attacker’s server. If users do that, the attacker could gain access to Piwik. Piwik protects against this type of attack by storing a list of trusted hostnames and checking if the ‘Host’ HTTP header in any request is in this list. If it doesn’t match, we show you a warning.

You can also disable the trusted host security check if for some reason you get this warning a lot, for example if you use Piwik with a changing set of hostnames. To do so,edit your config/config.ini.php and add the following below [General]

[General]
enable_trusted_host_check=0

This feature was developed as a “Security Best Practise”, following a suggestion by a security researcher working with Piwik through our Security Research program.