Security begins with preparation, not installation. If you begin your install without having a security plan, you are already at a disadvantage. Attackers already have a strategy, shouldn't you?
Start by listing the items you can and will secure. Don't skip anything, or leave anything out because you don't know how to secure it. The moment you decide to leave a window open because you don't know how to close it - is the moment someone breaks in and robs you blind.
Begin by examining the server itself.
- Physical Security
- For many, this aspect will be a moot point. Many use hosting companies and only employees of the hosting company will ever have physical access to the server. For those who are hosting on their own hardware, take care that your server is secure. There are people who specialize in social hacks and only need a few unattended minutes with physical access to a server to compromise it. Take inventory of your physical security, and if it isn't rock-solid - upgrade!
- Operating System Maintenance
- Again, this will not be an option for many who use hosting companies and are living with the software provided on their hosted server. For those who maintain their own servers, it is important to stay on top of operating system and webserver related updates. Many updates fix bugs and vulnerabilities. Unless you're the very rare target of a zero-day exploit, keeping your server updated will mitigate the risk of exploit through vulnerability.
- Running Services
- Is your server running a Telnet service? What about fingerd? Did you set up an IRC server for your buddies? These are important questions, and it's important to realize that any unnecessary service can be a point of access to an attacker. If you aren't using a service for your site - secure it or remove it.
- With services like Letsencrypt.com, there is absolutely no reason not to run an SSL encrypted site. With encryption, you can protect your users credentials at the same time as you're protecting your administration credentials. As a bonus, your SERP will benefit and your customers/visitors will feel more secure with your site. There is no downside to encrypting - get to it!
- You aren't done until you score A+ on SSLLabs
- Methods of Connection
- Once you start using encrypted connections, don't do anything unencrypted. Don't use Telnet, use SSH. Don't use FTP, use SFTP. If you use a C-Panel via your host - be sure it's on an encrypted connection. It's important that you consider any unencrypted connection as a security risk. Being paranoid is not a bad thing when it comes to server security.
- Also consider blocking avenues to mask an attackers identity such as the TOR network. It's a common misconception that attacks via TOR cannot be tracked, however, the TOR network itself publishes a list of exit nodes. Unless you have a good reason to allow traffic visiting through a TOR exit node - you can block one method attackers use to mask their identity.
The rest of the items are a little more Joomla specific and will be addressed more in-depth.
Mr Drucker stresses commitment, and I cannot disagree. Commit to your own security.
Unless commitment is made, there are only promises and hopes... but no plans.Peter Drucker