Joomla is second popular CMS for a website with 6.7% of market share and growing.
Not correctly configured/hardened Joomla server can be vulnerable to many including remote code execution, SQL Injection, Cross-Site Scripting, Information leakage, etc.
Security is as important as website design and content, but we often ignore this until negatively impacted.
Security is a process cycle, which one should always perform against web applications. In this article, I will talk about tools to scan Joomla website for vulnerability to protect from evil.
Joomla Security Scanner Tools
MyJoomla is all-in-one award-winning Joomla Management tool where you can secure, upgrade, monitor & manage. It’s plugin based, so you got to install it on your Joomla website to start auditing.
My Joomla is Joomla specific solution to audit content of each file and notifies in case of any risk.
It’s subscription-based service, but the first audit is FREE so you can give a try to see you like it.
Once you install the plugin and add your website at MyJoomla, you can get the auditing done in less than 5 minutes.
This is how my test site auditing report looks like.
SiteGuarding is cloud-based website security scanner which also provides Joomla extension to analyze your website.
In the FREE version of the extension, you get the following.
- Scan up to 500 files
- Daily virus database update
- One scan per day
- Heuristic logic
Joomla security scan by Hacker Target has two option.
Passive scan – this is FREE scan, and it does the following.
- Google safe browsing look-up
- Directory index lookup
- External link and their web reputation
- Geolocation & web hosting lookup
Aggressive, active scan – this requires a membership and check aggressively to detect known exploits and vulnerabilities in themes, extensions, module, components & Joomla core.
Detectify is enterprise SaaS scanner for comprehensive website auditing with more than 500 vulnerabilities including OWASP top 10.
You can get it started in FREE.
JAMSS (Joomla Anti Malware Scan Script) is a script which you got to install on your website root location.
Script installation is nothing but uploading the file
jamss.php common to your web root. JAMSS identify typical fingerprints, traces that could have been compromised.
Script doesn’t do anything and to access the scan report; you just access yourwebsite.com/jamss.php
For ex: http://chandan.io/jamss.php
Site Check by SUCURI check for known malware, blacklisting, SPAM, defacement and give you information on a web server, links & included scripts.
Security Check extension protects your website for more than 90 attacks pattern, and it has inbuilt vulnerability check to test installed extensions for any security risk.
Joomscan is one of the most popular open source tools to help you in finding known vulnerabilities of Joomla Core, Components, and SQL Injection, Command execution. There are two ways you can get this running.
- Download from OWASP site and install on your PC
- Use Kali Linux which comes with more than 600 tools including Joomscan
Once you have Joomscan installed, here is how you can run it on Joomla site to scan the vulnerability.
#./joomscan –u http://joomlawebsite.com
Ex, I executed my test site.
As you can see above in the results, it’s scanning for more than 20 vulnerabilities and let you know if any found so you can fix and secure Joomla.
I hope above tools helps you to scan Joomla for vulnerabilities and keep your website safe and secure. Here are some of the useful resources to keep you up-to-date with Security.
- Joomla Vulnerable Extension list – http://vel.joomla.org/
- Joomla CVE Details – http://www.cvedetails.com/vulnerability-list/vendor_id-3496/product_id-16499/Joomla-Joomla-.html
- Joomla Developer Network (Security Centre) – http://developer.joomla.org/security-centre.html
- Joomla Security Documentation – https://docs.joomla.org/Security
- Tools to Scan Website Security – https://geekflare.com/online-scan-website-security-vulnerabilities/
- Joomla Security Best Practice – https://geekflare.com/joomla-security/