Advice on securing a Joomla! website
One year ago, I was struggling through a couple of episodes where my website (the one you're on right now) was hacked. I am using a program called Akeeba Backup, which in my humble opinion is absolutely mandatory for anybody using Joomla! My site is backed up automatically every night.
I would come into the office on Monday morning (always) and pull up my site using Internet Explorer and bang! Kaspersky Anti-virus would give a warning and refuse to load the site because it was infected. So I would get into the site backend administration and take my site off line, then into the host with cpanel and run through the Akeeba Kickstart process to completely wipe and replace the site with a backup from a couple of days before. I lost some information, not a lot, but it was stressful and I didn't want to have my site blacklisted as insecure.
I researched solutions for this issue, first turning to the generic security recommendations here: https://docs.joomla.org/Security_Checklist
That's fine information as far as it goes, but after wading through the beginning instructions, I realized that the chance of misinterpreting or misapplying some of the critical building blocks in my efforts to secure my site would result in either a broken site, or one that remained insecure. I didn't have time to become a security expert, and still don't.
I turned again to the Joomla! Extensions Directory and researched some of the security packages there and selected one with which I felt comfortable. After reading through the instructions I installed it, went through the initial configuration and totally locked up my system. So I restored my site again using Akeeba Backup, contacted the support forum for the security solution and got everything straightened out. The second time worked perfectly and I've been tweaking and fine-tuning the extension ever since. (I found out later there was a way to unlock my system without restoring the backup.)
This site is always attacked on weekends and evenings. It gets heavily attacked on holidays, and occasionally during the day. It's not anything I get too excited about any more, but I'm always aware that it's happening and I keep a close eye on my security logs.
What is the name of the extension I use? I'm not going to tell you, because revealing the name also will reveal the techniques that are used to protect my site. There are several layers of protection, but I'm not naive enough to think any defenses are impossible to breach, and I have no intention of giving the bad guys a helping hand.
What I will do is this: On my contact page, email me with the URL of your website, and an email address that matches the domain name, and I'll tell you what extension I'm using. I will visit your site to make sure it's valid and is using Joomla! I will never use your email address again to contact you for any other reason.
You may also look through the Extensions directory and read the reviews. The extension I'm using is listed there. If you're frustrated with security issues, I can promise this extension will help you, and you will sleep better knowing you're protected.
BTW, I also enabled the Two-Factor Authentication feature in Joomla! and I strongly recommend that you do so today no matter what other security steps you take. If you have an iPhone, Android, Blackberry or any other smart phone that can run Google Authenticator app, you're crazy not to use this feature, at least for administrators.