Most Joomla attacks are a result of plugin/components vulnerabilities, weak passwords, and obsolete software. Perhaps the biggest disadvantage of every OpenSource CMS is that anyone can download the full source code; this makes it easy for an attacker to determine if your site is running Joomla!, and often he will know the weak points of each version, sometimes even better than you do.
Let this motivate you: we see between 100 – 1,000 unauthorized login attempts every single day at the sites we host (Documentation, Magazine and the main Gavick.com). The vast majority of these are hackers using brute force techniques to get into websites. That’s why you should be ready; so take some precautions to minimize the risk of your website getting broken into.
A classic example of weak security is continuing to use the word ‘admin’ as a user name – this is the default super administration account that’s created when you first install Joomla! – along with a password that brute-force attempts are likely to succeed in guessing. So don’t waste time anymore and rename ‘admin’ account with a different name and ensure it has a strong password.
Ensure that you have installed the latest versions of both the Joomla core itself and any third-party extensions.
You can use Akeeba CMS Update tool – which allows you define specific Super User accounts to be emailed when an update is available, Automatic updates and gives automatically backup your site before updating Joomla.
Outdated versions of the Joomla extension may contain a very serious security vulnerability that allows a hacker to upload files to a website. Exploitation of this vulnerability has been a common cause of the hackings among the hacked Joomla websites. Even if your Joomla doesn’t show if new version is available regularly check on developer page.
Turn on Search Engine Friendly URLs – this will hide typical Joomla URLs.
Disable New User Registration in User Manager – if you don’t need new users added from front-end.