Joomla Site Security Audit
Joomla has a centralized Security Advisories system (JSST), but outdated extensions and incorrect configuration are common sources of vulnerabilities.
Automated Scanning
# Joomscan — specialized scanner
perl joomscan.pl -u https://yourdomain.com
# OWASP ZAP passive scanning
zap-cli quick-scan --self-contained --spider https://yourdomain.com
# Nikto — general web scanner
nikto -h https://yourdomain.com
Checklist
Versions:
- Joomla core — current version
- All extensions — current versions
- PHP 8.1+, outdated versions are EOL
Configuration:
// configuration.php — mandatory parameters
public $debug = '0'; // don't show errors
public $error_reporting = 'none'; // or 'simple'
public $force_ssl = '2'; // enforce HTTPS
public $sef = '1'; // SEO-friendly URLs
public $robot = 'noindex, follow'; // for staging
public $cookie_httponly = '1'; // cookie protection
public $cookie_secure = '1'; // HTTPS only
public $lifetime = '15'; // minutes — session time
public $session_handler = 'database'; // sessions in DB (not files)
File Permissions:
find /var/www/yourdomain.com -type f -name "*.php" -perm /o+w
find /var/www/yourdomain.com/configuration.php
stat /var/www/yourdomain.com/configuration.php
# Should be 444 or 400
# Check PHP in uploads folder
find /var/www/yourdomain.com/images -name "*.php"
# If found — sign of compromise
Hide Version:
// At the end of configuration.php
public $MetaVersion = '0'; // don't show Joomla version in meta tag
Close access to administrator/ with IP limitation in Nginx:
location /administrator {
allow 1.2.3.4; # your IP
deny all;
}
Check Extensions for Vulnerabilities: Vulnerable extensions list: https://vel.joomla.org (Vulnerable Extensions List). Check all installed extensions.
# Quick check via curl
curl -s https://vel.joomla.org/joomla-vel-json-feed | \
python3 -c "import sys, json; data = json.load(sys.stdin); print([d['title'] for d in data['items']])"
HTTP Security Headers:
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
2FA: Check if two-factor authentication is enabled for administrators.
Custom Code Verification
# SQL Injection in custom components
grep -r "\\\$_GET\|\\\$_POST\|\\\$_REQUEST" administrator/components/com_custom/
grep -r "->query\|->loadResult" administrator/components/com_custom/ | grep -v "quoteName\|quote("
Timeline
Joomla site security audit — 1 day. Remediation of found issues — 3–8 hours.