I found some good tips on Joomla security at HotJoomlaTemplates.com:
- Keep your Joomla core up-to-date.
- Keep all your Joomla extensions (components, modules, plugins, templates) up-to-date as well. Follow extensions’ websites and upgrade each extension as soon as new version is realized.
- Uninstall all extensions that you don’t need.
- Delete superadministrator’s account with ID=62, if it exists in your Joomla user manager.
- Change default username of your superadministrator’s account from “admin” to something else.
- Use passwords that are combination of lowercase and uppercase letters, numbers and special characters.
- Don’t CHMOD files on your server to 777. Use 644 instead. When your need to change some files, CHMOD them to 775 and, once you’re done, back them to 644. Use FTP software to CHMOD files.
- When installing Joomla, use DB prefix different from default (jos_). If your current website uses this prefix, you still can change it using phpMyAdmin in your hosting control panel.
- Even if you follow all above instructions, your website still can be hacked. Chances are less, but certainly not 0%. Check with your hosting provider if they make regular server backups. Check if site restoration is included in price. Check how many times you are allowed to make site restorations per month/year. Check how much time you should wait for site restoration.