Scan your site!
There are various Joomla security scanners out there (Joomscan is old, but still relevant). Make time to regularly update your site and re-run security tests. The saying goes "An ounce of prevention is worth a pound of cure" - but I believe that is an understatement. When an attacker gains control of your site, you may not know it until it's too late to salvage anything. At that point you must restore from a backup (but which one?)
It's better to be pro-active than to be re-active. Make it safe, keep it safe!
This is a living document and will be modified in the future as new methods are found.