Tech Stack Guides

How to Tell If a Website Uses Matomo

Matomo is the privacy-first, self-hostable analytics platform. Here is how to detect it on any site using script URLs, the _paq object, the matomo.php beacon and first-party cookies.

StackOptic Research Team27 May 20268 min read
Detecting Matomo analytics on a website through its script and tracking beacon

Matomo is the analytics platform organisations reach for when they want Google Analytics-style reporting without handing visitor data to Google. If you are trying to work out whether a website runs it, the quickest definitive answer is to open the browser's Network tab and look for a request to matomo.php (or the older piwik.php) — that single beacon confirms a live install. This guide walks through every reliable signal, from a five-second source check to confirming a self-hosted deployment, and explains what the result tells you about the organisation behind the site.

What is Matomo?

Matomo (known as Piwik until 2018) is an open-source web analytics application that competes directly with Google Analytics. Its defining characteristic is data ownership: you can self-host Matomo on your own server so that no visitor data ever leaves your infrastructure, or you can use the managed Matomo Cloud service. Either way, the organisation — not a third-party advertising company — controls the raw data.

That positioning makes Matomo popular with public-sector bodies, universities, healthcare and finance organisations, privacy-focused startups, and anyone navigating strict GDPR interpretations. It offers the familiar analytics feature set — visits, referrers, goals, funnels, e-commerce reporting, heatmaps and session recordings through plugins — but can be configured to run without cookies and to anonymise IP addresses. Because adopting Matomo is a deliberate decision rather than the default, its presence on a site is genuinely informative: someone chose it on purpose, usually for privacy or compliance reasons.

Matomo's history matters for detection too. The project shipped for over a decade as Piwik, so a large installed base still carries piwik naming in its code and endpoints. Treat any piwik.* signal as Matomo.

How Matomo loads and sends data

Understanding the mechanics makes the signals obvious. A Matomo install drops a small snippet on every page that defines a global _paq array, queues a couple of commands (typically setTrackerUrl, setSiteId and trackPageView), and then asynchronously loads the main library, matomo.js. Once loaded, the library reads the queued commands and fires a tracking request — an HTTP call to matomo.php carrying the site ID and the recording flag rec=1, plus details of the page, referrer, screen size and a visitor identifier.

Identity is stored in first-party cookies prefixed _pk_id (the persistent visitor ID), _pk_ses (the current session) and sometimes _pk_ref (the referrer attribution window). Crucially, because Matomo is so often self-hosted, both the library and the matomo.php endpoint frequently live on the site's own domain or a subdomain like analytics.example.com rather than on a recognisable vendor host. That is what makes naive detection unreliable and why you should corroborate signals.

How to tell if a website uses Matomo

Confirm at least two of the following.

1. View the page source. Right-click and choose View Page Source (or press Ctrl+U / Cmd+Option+U) and search the HTML for matomo, piwik or _paq. The classic embed snippet defines a _paq array and loads matomo.js:

var _paq = window._paq = window._paq || [];
_paq.push(['trackPageView']);
(function() {
  var u = "//analytics.example.com/";
  _paq.push(['setTrackerUrl', u + 'matomo.php']);
  _paq.push(['setSiteId', '1']);
  var g = document.createElement('script');
  g.async = true; g.src = u + 'matomo.js';
  document.head.appendChild(g);
})();

The setTrackerUrl value reveals exactly where Matomo is hosted, which is useful intelligence in itself.

2. Open the Network tab. This is the most reliable method. Reload the page with developer tools open, filter requests for matomo or piwik, and look for the tracking beacon — matomo.php?idsite=1&rec=1&... (or piwik.php). The presence of rec=1 means a hit is being recorded. You will also see the matomo.js script load earlier in the request waterfall.

3. Check the JavaScript console. Type _paq and press Enter. If Matomo is present you get an array back. Typing Matomo (or Piwik on older installs) may also return the tracker object, which exposes methods like getTracker and getAsyncTracker.

4. Inspect cookies. In the Application (Chrome) or Storage (Firefox) panel, look for first-party cookies prefixed _pk_id., _pk_ses. and sometimes _pk_ref.. These are Matomo's visitor and session identifiers and they persist even when tracking is self-hosted on the first-party domain — making them a dependable fallback.

5. Look for Matomo Cloud or Matomo Tag Manager. Managed installs load from *.matomo.cloud (for example yourorg.matomo.cloud). If the site uses Matomo Tag Manager you will see a container_*.js file served from the Matomo host, which then injects the tracker.

What the Matomo signals look like

A live recording request typically reads like this in the Network tab:

GET https://analytics.example.com/matomo.php?idsite=1&rec=1&r=8f3a&url=https%3A%2F%2Fexample.com%2Fpricing&_id=ab12cd34&...

Alongside it you will find the _pk_id.1.xxxx and _pk_ses.1.xxxx cookies set on the site's own domain. The combination of the matomo.php beacon, the _paq array and the _pk_ cookies is conclusive — no other analytics tool produces that exact trio, so once you see two of the three you can be confident.

Matomo versus similar tools — avoiding false positives

A few things trip people up. First, legacy Piwik: old sites still load piwik.js and hit piwik.php; treat these as Matomo, not a different product. Second, renamed endpoints: privacy-minded admins sometimes rename matomo.php via the setTrackerUrl config to something innocuous to evade ad blockers, so rely on the _paq object and _pk_ cookies if the beacon name is unfamiliar. Third, first-party hosting: when Matomo runs on the site's own domain there is no third-party request at all, which can make basic scanners report "no analytics". Fourth, Matomo Tag Manager can inject the tracker at runtime, so the library may appear only after other scripts execute — always check the live page rather than the static HTML alone. Finally, do not confuse Matomo with Plausible or Fathom, the other privacy-first analytics tools; those use entirely different scripts and endpoints.

Why it is worth knowing a site uses Matomo

Detecting Matomo is more than trivia. For sales and competitive research, a Matomo install tells you the organisation prioritised data ownership and privacy — valuable if you sell compliance tooling, privacy consulting, managed hosting or a competing analytics product, because you already understand the buyer's motivations. For agencies, it signals a client who may need help maintaining, upgrading or securing a self-hosted analytics stack, which is a concrete service opportunity. For migration projects, knowing the incumbent analytics platform shapes the data-export and historical-continuity plan, since Matomo's data model differs from Google's. For due diligence, self-hosted analytics is one indicator of an engineering team that makes deliberate infrastructure choices rather than defaulting to whatever is free. And for journalists and researchers studying how organisations handle data, Matomo adoption is a quantifiable privacy signal.

How reliable is each Matomo signal?

Not every signal carries the same weight, and knowing the hierarchy keeps you from false conclusions. The matomo.php (or piwik.php) network beacon is definitive — it is the request that records the visit, so its presence proves Matomo is live and collecting, not merely present in the code. The _pk_id and _pk_ses cookies are nearly as strong, because only Matomo sets that exact prefix. The _paq global is reliable but slightly weaker on its own, since a developer could in theory define a similarly named variable; pair it with the beacon or cookies. The weakest standalone signal is a static reference to matomo.js in the page source, because a library file can be referenced without being initialised, or left behind after a tracker was removed. As a working rule: treat one definitive signal (beacon or cookie) as conclusive, and require two circumstantial signals before you commit. This matters more for Matomo than for cloud-only tools precisely because self-hosting removes the easy vendor-domain shortcut.

What a Matomo install reveals about an organisation

Beyond confirming the tool, a Matomo deployment is a window into how an organisation thinks about data. A self-hosted Matomo — where the setTrackerUrl points to the site's own domain or a subdomain like analytics.example.com — signals a team that took on the operational burden of running analytics infrastructure specifically to keep data in-house. That is a strong indicator of a privacy or compliance mandate, common in healthcare, government, higher education, and EU public-sector bodies that cannot legally send visitor data to US advertising companies. A Matomo Cloud deployment (*.matomo.cloud) signals the same privacy preference but a willingness to outsource operations, which is typical of smaller privacy-conscious businesses, agencies and consultancies.

There is even more to infer from the configuration. If you see IP anonymisation reflected in the beacon parameters, or an active tracker that sets no _pk_ cookies at all, the organisation has adopted a cookieless, consent-light posture — useful intelligence if you sell consent-management platforms, privacy auditing, or GDPR consulting, because they have clearly already engaged with the problem. Conversely, a site running both Matomo and Google Analytics is often mid-migration or deliberately hedging, which can be a timely opening for anyone selling analytics services. And because Matomo is open source, its presence sometimes correlates with a broader open-source-friendly stack (self-hosted tooling, Linux servers, privacy-respecting fonts and maps), so it is worth checking what else the site runs.

A quick Matomo detection checklist

  • Open the Network tab, filter for matomo or piwik; a matomo.php?...&rec=1 request is conclusive.
  • Search the page source for _paq, matomo.js or piwik.js.
  • Type _paq in the console and confirm an array is returned; try Matomo for the tracker object.
  • Check cookies for the _pk_id, _pk_ses and _pk_ref prefixes.
  • Read the setTrackerUrl value to learn whether Matomo is self-hosted or on Matomo Cloud.
  • Require at least two signals before concluding, since self-hosting hides the obvious ones.

Detecting Matomo at scale

Checking one site by hand is quick; auditing hundreds is not. If you need to know which sites in a list run Matomo — for prospecting, market research or a portfolio audit — a website intelligence tool automates the same signal-matching across every URL at once. StackOptic detects Matomo and 7,000+ other technologies from a real browser, so self-hosted and tag-manager-injected installs are caught too. For background on the broader category, see our guide to finding out what analytics a website uses, the overview of how to check if a website uses Google Tag Manager (a common Matomo delivery path), and the full Matomo technology profile.

Frequently asked questions

What is the fastest way to tell if a site uses Matomo?

Open your browser's developer tools, switch to the Network tab, reload the page and type 'matomo' into the filter box. If the site uses Matomo you will see a request to matomo.php (or the older piwik.php) with query parameters such as idsite and rec=1. That beacon is the definitive fingerprint because it is the request that actually records the visit.

Why is Matomo harder to detect than Google Analytics?

Matomo is open source and very commonly self-hosted, so instead of loading from a fixed Google domain the library and tracking endpoint often sit on the site's own server or a custom subdomain. Some administrators also rename matomo.php to disguise it. You therefore cannot rely on a single recognisable domain and should confirm with the _paq object and the _pk_ cookies as well.

What is the _paq object in Matomo?

_paq is the global JavaScript array Matomo uses as a command queue. Page code pushes tracking instructions onto it, for example _paq.push(['trackPageView']), and the Matomo library processes them. Typing _paq into the browser console and getting an array back is a strong confirmation that Matomo is present.

Is Matomo the same as Piwik?

Yes. Matomo was called Piwik until early 2018, when the project rebranded. Older installations still load piwik.js and send hits to piwik.php, and you may still see piwik-prefixed code in legacy sites, so treating piwik.* signals as Matomo is correct.

Does finding Matomo tell me anything about the company?

Often, yes. Choosing Matomo over the free, ubiquitous Google Analytics usually signals that the organisation cares about data ownership, GDPR compliance or avoiding Google specifically. That is a meaningful qualifying signal if you sell privacy, compliance or hosting services.

Analyse any website with StackOptic

Get the full technology stack, performance, security and SEO report in seconds — free.

Analyse a website

Related articles