Change passwords regularly and keep them unique. Use a random combination of letters, numbers, or symbols and avoid using single names or words found in a dictionary. Never use the names of your relatives, pets, etc. Search the forums for a script supplied by Wizzie that automatically changes passwords. This is a great tool for administrators or multiple sites.
Follow a password leveling scheme
Most users may not need more than three levels of passwords and webmasters no more than five. Each level must be completely unrelated to the others in terms of which usernames and passwords are used.
Maintain a strong site backup process
Never rely on others' backups. Take responsibility for your backup procedures. Many ISPs state in their contract that you can not rely solely on their backups.
Monitor crack attempts
VPS and dedicated server users can run TripWire or SAMHAIN. These applications provide exhaustive file checking and reporting functionality, and can be installed in a stealthy manner to help protect themselves in the event of a serious infiltration. (Note: Users of shared servers can not use this technique.)
Perform automated intrusion detection
Use an Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests.
There is not a single tool that can protect your site. If there were, it would be so heavily targeted that it would probably become a liability.
Don't reinvent every wheel
Every now and then hire a professional Joomla! security consultant to review your configurations. Do you remember the adage, "Anyone who acts as their own lawyer has a fool for a client." The same goes for Web development. Don't expect to catch all of your own security mistakes.