The Joomla Security Audit program was created by a security researcher to help find vulnerabilities and security problems in your Joomla installation. It’s a simple, free tool that has been designed to do an initial scan of the web server to find security vulnerabilities, and if you have any, can provide a detailed report of any issues found.
Because the results of this type of scan may have to be opened by some administrators of the web servers, it is recommended that only someone who needs to view them should attempt to use the tool. For example, it will return a negative result for any website you try to open the report on that doesn’t require authenticated access.
Many people who work on security problems may not be aware of what this tool is all about, so here is a quick description of the concept. On a typical Joomla installation, there are probably millions of pages which are included in the “public” directory. This directory contains several thousand files, and as a result, most normal users will have no trouble opening them without an authentication.
Each page in the public directory can also include some files which are not accessible by everyone – for example, some security related files which only allowed for authorized users to view them. But no matter what those files are, they are still included in the public directory and can be viewed by anyone with the right password. This allows anyone to view these files, and for instance, try to break into your system to get the information.
However, if you have any administrators on your Joomla installation (and these can usually be configured to work only through a web interface), you can configure the server to automatically run the Security Audit check on every request made to the admin’s page. This is done by setting up a special web file and sending a report of all the open files from this point on to the administrator’s page. If anything is found in the report, the administrator will then be notified of the issue, who can then be required to correct the problem.
In addition to being able to run the Security Audit on each request made by your administrator, you can also use the tool as a simple and free tool to perform a simple scan of the server itself. You can try to enter the URL of the site you want to see the report on, and it will simply do an automatic scan of the server and report back with a number of security vulnerabilities it finds.
These automatic reports can be sent to email or can be saved to a HTML document, which is best if you need to send it as an attachment to a colleague. It is also possible to set the server to automatically run this check after a certain period of time, so that you can always have a look at the reports as part of a scheduled maintenance or scheduled update.
The reports generated from the scan are very detailed, because they take into account all of the files in the server that are not accessible to administrators. Some of the more technical fields that are included are the domain name, the subdomains, the IP address of the hosting server, and the name of the site which contains the vulnerability.
As you can see, the initial scan for security vulnerabilities performed by the Security Audit is quite extensive and can often provide several issues for a single website. As a result, it is recommended that all of your websites use this tool to perform some initial scans, before you can completely set up the security in your server.
For example, in order to set up your web server with a good level of security, you will need to make sure that all your web applications run through a dedicated IP address, which is only accessible to authorized users. It is also a good idea to install a good firewall and update it regularly with new code.
The tool is a powerful and easy to use tool, but it can also be used to perform simple scans to quickly identify any issues that should be fixed. In fact, if you use the Joomla Security Audit on one of your websites and you find any issues, then you should also do a manual scan in order to see if the issues are also present in the administrator’s account, to see if you can re-enable the default password and then do another scan to confirm.