Loading…
Loading…
Joomla sites
Joomla is self-hosted, so TLS, the response-header baseline, and server hardening are the site owner's job, not the platform's. The two recurring gaps are headers that a default install does not send (HSTS, CSP, X-Frame-Options) and out-of-date core or third-party extensions, which are where most Joomla incidents start. A finished-looking site can still score poorly on the headers browsers enforce.
Paste your production hostname and Scorifya checks HTTPS and TLS, security headers, passive SPF, DMARC and MX signals, cookie attributes, and exposure cues. It reads only the public URL, so no administrator login is needed. Results in under 30 seconds.
This page is written for people searching for Joomla security check—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A: long-running site, headers untouched
TLS is fine and the site loads cleanly, but the header baseline was never configured, so the headers category holds the score back.
Strict-Transport-Security absent
HTTPS works, but without HSTS browsers cannot enforce HTTPS-only on return visits. The header is set in your web server or proxy, not inside Joomla.
Content-Security-Policy missing
Templates and extensions pull scripts from multiple origins, so a CSP needs an inventory first. Scorifya flags the gap so you can stage a report-only policy.
Version detail exposed
A verbose Server banner or readable version file gives an attacker a target. Trim banners and remove leftover install files.
Example B: hardened server, mail DNS to finish
Core headers and TLS match production. The remaining work is in email authentication on the sending domain.
DMARC at p=none
The record monitors but does not enforce. Move to quarantine once your legitimate senders align.
CSP allows broad script hosts
A policy exists but whitelists large CDNs. Tighten it as you reduce the extensions and libraries the template loads.
Update Joomla core and every extension promptly
Most Joomla compromises start with a known flaw in an out-of-date extension or old core. Keep core current, update or remove third-party extensions you no longer use, and only install extensions that are actively maintained. The admin update notifications are there for a reason.
Add the security-header baseline at the server
A default Joomla install does not send HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, or Permissions-Policy. Set them in your web server (Apache or nginx) or a reverse proxy so every response carries them. Joomla can also send some headers through its global configuration, but the server layer is the most reliable place.
Rename htaccess.txt and harden file permissions
Joomla ships its rewrite rules as htaccess.txt. Rename it to .htaccess so the rules take effect, then lock down configuration.php and directory permissions to the recommended values so they cannot be written or read by the web.
Protect the administrator path and enable two-factor
Restrict access to the /administrator path where you can, and turn on Joomla's built-in two-factor authentication for admin accounts. Removing leftover install directories and limiting login exposure cuts the most common attack paths.
Publish SPF and DMARC if the domain sends email
If your Joomla site sends contact-form, transactional, or newsletter email, publish SPF and DMARC on the sending domain. A missing DMARC record lets anyone spoof your domain, and Scorifya reads those records passively from public DNS.
For weights and penalties behind each category, see How Scorifya works.
Background explainers for what this tool checks.
Joomla core is actively maintained and considered solid when kept current. Because it is self-hosted, the security of a specific site comes down to configuration and maintenance: response headers, TLS, file permissions, the administrator path, and especially keeping core and third-party extensions patched. A well-maintained Joomla site can score very highly.
The usual findings are: out-of-date core or vulnerable third-party extensions, a missing header baseline (no HSTS or CSP), an htaccess.txt that was never renamed to .htaccess, exposed version or install files, weak administrator protection, and incomplete SPF or DMARC when the domain sends email. Extensions are the most common entry point.
No. Joomla serves HTTPS once you have configured TLS, but it does not send Strict-Transport-Security or the other browser security headers by default. You add them in the web server or a reverse proxy. Joomla's global configuration can emit some headers, but they have to be enabled deliberately.
Paste your public URL above. Scorifya passively checks TLS, security headers, passive email DNS (SPF, DMARC, MX), cookie attributes, and exposure cues, then returns a 0 to 100 score with the specific fixes. It does not log into Joomla or run application exploits; it reports what a browser and public DNS reveal, which covers most quick wins.
No. Only the public URL is requested. Anything behind the administrator login stays invisible to these passive checks, so it is safe to run against a live site.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on config or deploying changes, you'll likely run multiple checks as you tighten things up. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.