The Joomla 3.10.999 Project

Joomla 3 reached end of life in August 2023. Since that date, the Joomla Project has not released any further security updates for the 3.x series. If you’re still running Joomla 3, your site is unpatched and exposed.

What was the 3.10.999 project?

Every time a major Joomla series hits end of life, Phil Taylor publishes what he calls the “dot 999” project. It’s a reference repository: the last official release from the supported series, plus community-sourced security patches to keep sites minimally secure after official support stops.

Phil did this for Joomla 1.5, Joomla 2.5, and Joomla 3.10. Most of the patches came from community contributors and from Phil’s own work. The projects sit alongside two other long-running community resources: the community hosted mirror (goes back to the Mambo days) and the core files service (every Joomla file ever officially released).

All three projects are on GitHub:

• Joomla 1.5.999
• Joomla 2.5.999
• Joomla 3.10.999

These are reference repos only. They document the recommended changes to keep sites minimally secure. They were never intended to be complete, forward-compatible, or tracking the latest PHP releases. There are no custom update servers. You grab what you need and apply it yourself.

If you’re still on Joomla 3, it’s time to move

Joomla 3 has been end of life since August 2023, over two and a half years now. The latest supported series is Joomla 6, and the migration tooling has come a long way since the early Joomla 4 days.

Running an unsupported CMS means no security patches and no compatibility fixes. Hosting providers are already dropping the older PHP versions that Joomla 3 needs, so breakage is coming whether you plan for it or not.

The 3.10.999 project was always a stopgap, not a destination. If you haven’t migrated yet, now is the time.

Fix every known Joomla 3 vulnerability with one click

Downloading patches from GitHub and manually editing 55 files per site is fine if you have one or two sites. If you manage dozens or hundreds of Joomla 3 installations, it doesn’t scale.

That’s why mySites.guru built the Joomla 3 Patch Tool. It’s a single toggle that applies every known security fix from the 3.10.999 project directly to your sites. No manual file edits, no separate subscription.

Read the full guide to the Joomla 3 Patch Tool

How it works

The patch tool is in the Site Snapshot for each Joomla 3.10.12 site in your mySites.guru account. Flip the toggle on and the mySites.guru connector compares MD5 hashes of every file that needs patching against the expected patched versions. Anything that doesn’t match gets replaced. Flip it off and the files revert to stock 3.10.12. Fully reversible.

What it patches

The tool modifies 55 files covering every known vulnerability disclosed since Joomla 3.10.12:

• 9 separate XSS vulnerabilities across media selection fields, mail address outputs, filter code, StringHelper, com_fields, wrapper extensions, OutputFilter methods, module chromes, and menu list IDs
• Cache poisoning in pagination
• Open redirects from inadequate URL validation
• Insufficient session expiration in MFA management views
• Environment variable exposure
• ACL violations in multiple core views
• Bug-fix-for-bug-fix patches, where the now-defunct commercial eLTS releases shipped broken code that needed further patching

The full CVE list with links to every advisory is in the patch tool guide.

Bulk patching across all your sites

Got a fleet of Joomla 3 sites? The patch tool has a bulk view that shows every Joomla 3.10.12 site you manage with individual toggles. One screen, all your sites.

Jump straight to it at manage.mysites.guru/en/tools/allsites/Joomla/joomlaconfiguration/joomla3eol.

No eLTS subscription required

The Joomla Project used to offer a commercial eLTS programme for Joomla 3, but that has since ended. mySites.guru includes all known Joomla 3 security patches as part of your standard subscription. The patches come from the same open-source 3.10.999 project.

Patched files show up in audits

After patching, your mySites.guru security audit will flag the modified files as Core File Changes, because they are changes to the original 3.10.12 distribution. You can inspect every diff directly in the audit tool, so you always know what changed and why.

Joomla 3 is still everywhere

Joomla 3 is end of life, but it still runs on a huge number of sites. Joomla’s own usage statistics put 3.10.x at over 35% of reporting installations. If you run a digital agency, you know how it goes: migrating clients takes budget, developer time, and client sign-off. That doesn’t happen overnight, and the sites still need protecting while you work through the backlog.

The 3.10.999 project and the mySites.guru patch tool are there for exactly that gap. Keep sites secure while you plan and execute the migration to Joomla 6.

Get started

Add your Joomla 3 sites to mySites.guru, flip the patch toggle, and get on with the migration planning.

Start your free trial - no credit card required.