How do you setup a secure demo site?
From Joomla! Documentation
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
General Information
Please note that this FAQ item applies to Joomla version 
only.
In /includes/version.php look for:
/** @var string Whether site is a production = 1 or demo site = 0 */ var $SITE = 1; /** @var string Whether site has restricted functionality mostly used for demo sites: 0 is default */ var $RESTRICT = 0;
For a demo site it is advised to following:
/** @var string Whether site is a production = 1 or demo site = 0 */ var $SITE = 0; /** @var string Whether site has restricted functionality mostly used for demo sites: 0 is default */ var $RESTRICT = 1;
$SITE = 0 // Allows multiple user logins with only one account. By default Joomla! // allows only one active session per account as a security feature.
$RESTRICT = 1 // Disables those logging in, both Front-end and Back-end from changing // user details - like password and username
These settings are used on the official demo site http://demo.joomla.org
You should also make all files and folders nonwriteable - especially the configuration.php file. Also recommend you setup an automatic cron job that refreshes the database at a set interval (in our case 60mins) from a db script.