From Joomla! Documentation
This security list has been compiled from several sources. Some of these sources are linked at the bottom of this article. As such you may find duplicate suggestions. Don't skip anything because of this!
This list for the main part does not provide instructions. It is only a list for you to check off each item as you perform the tasks.
- Change username admin to anything else in Joomla, phpBB, and anywhere else it used.
- Change database tables prefix from jos_ to anything else.
- Change username or add password to username root in phpMyAdmin. Default is no password! This is not usually an issue on remote servers. However if you have a local server, it may be.
- It does not matter if your host does backups. Do it yourself and store them anywhere other than the server.
- Backup up often! You would be amazed at how many site owners never perform regular backups. Don't be one of those persons.
- Test your backup. Verify that your backup procedure works.
- Remove unused templates, extensions and unneeded files from your site. This includes compressed archives.
- Check Joomla Vulnerable Extensions List (VEL)
- Check regularly for updates for Joomla, PHP, SQL and every extension you use.
- Avoid encrypted code in extensions.
- Use some form of intrusion detection either through a cron job or an extension (like Eyesite).
- Check your log files OFTEN for unusual activity.
- Test your site for weaknesses or hire someone to perform this for you. Make sure you tell your host first what you are doing or you may get your site removed from the server!
- Ask your server if they offer PHPsuExec, php_suexec or suPHP.
- Use php.ini files if your server allows. With this you can disable functions that are not needed or dangerous.
- register_globals = 0 (off) Many servers default this to ON.
- expose_php = 0 (off)
- safe_mode = 0 (off)
- Use '.htaccess' to add extra protection to your Administrator directory or use an extension (like kSecure).
- Move configuration.php outside of your public directory.
- Get an SSL certificate for financial transactions and other sensitive data exchange.
- Use open_basedir. It limits which files/folders can be opened.
- Change the paths (directories) where your log, temp (tmp) files are stored. Don't just move them, you have to change the setting in Global Configuration as well. You also have to ensure your new paths fall under the scope of open_basedir.
- If your Administrator password is changed by hackers (or you forget it) follow this procedure to restore it: How do you recover or reset your admin password?