Things every Joomla installation needs to be secure.
The following instructions are based on Joomla 2.5 and were last updated 17 February 2013.
This article considers only those things to be done after installation. For security measures to be taken before or during installation, see Installing and configuring Joomla.
In the Joomla docroot, insure that the installation directory has been deleted, not merely renamed. Check to make sure, even if you accepted the installer’s offer to delete itself for you.
In Users – User Manager, confirm that no user has the default name “admin” nor the default user ID 42. If there is, create a new superuser, log out, log back in to the newly created superuser, and delete the default user.
Install a backup extension such as Akeeba Backup. Perform a manual backup now and set up automatic periodic backups.
Merge the contents of Joomla’s htaccess.txt into the existing .htaccess. Test to make sure you haven’t broken anything.
Install a security extension such as Admin Tools. Perform a manual security check now and set up automatic periodic checks.
Take measures to receive security or new release announcements for Joomla and for each extension you use. Feeds work well for me, so I add Joomla’s security announcements and the new release feed of each of my extensions to my feed reader. Other common options for staying informed include mailing lists and Twitter. When security or bugfix releases are announced, update Joomla promptly.
Many extensions do not have means of announcing security or bugfix releases. Consider what that says about the developer’s commitment to security and stability.
Enable Apache webserver logging; consult your web host for instructions. Wait 24 hours to review the log and correct any issues. If this is a new site, you will want to repeat this step after the site has been publicly available for a few days.