Delete it if appropriate
This site isn't vuln at XSS and SQL Injection. Is it using Codeigniter Framework?
No, The site is built using conventional methods.
Nice security, but there are some URLs I can access via file indexing. Check every folders so it can't be indexed by user via URL.
Attention: this site is still vuln at CSRF attack. Check ecery forms and make tokens to send the form.