First check if your plugins are listed in the exploitable list:
1. Keep Joomla up-to-date:
Keep Joomla up-to-date, particularly when a security release has just come out.
2. Do not use the default jos_ prefix for your database table names:
Many attacks on Joomla sites depend on your database tables starting with “jos_”. Hackers typically try to get access to the jos_users table so they can get your username and password to login to the admin side of your site.
If you simply change the database prefix for your site to something else, like “mig_”, you would be protected from the kind of security exploit that relies on the default database prefix of “jos_”.
3. Change the default super admin name from “admin” to something else:
When you install Joomla 1.5, the default super administrator username is “admin.” If you don’t change this, you’ll give hackers 50% of what they need to login to the administration side of your site.
To do this, when you first Login as Admin, immediately create another user with a completely different name. Assign this new user super administration rights to your Joomla website. Then immediately log out as Admin. Login as the new user that you just created. Delete the user Admin. You’re done.
4. Joomla Files and Folder permissions:
Using cPanel > File Manager or your FTP client, change the permissions of all Joomla folders to 755 and all wp-content to 600, no matter what.
5. index.html in all Joomla folders:
Ensure that there is a blank (empty) index.html within each folder of your Joomla website.
6. Rogue Extensions:
Additionally, there are rouge extensions available for free download and use. These extensions are actually developed for the explicit purpose of infecting a Joomla website, under the guise of doing something useful there. A really good idea is to scan the downloaded zip file of the Joomla extension / plugin / module with the antivirus on your local computer. If there is a PHP trojan sitting quietly in the extension your anti virus should be able to identify this.
7. Uninstall unused extensions on your website:
Remember there are definitely times when uninstalling Joomla extensions uisng Joomla Admin – Extensions > Install/Uninstall does not completely remove all of the associated directories and wp-content for a given extension, so you should manually remove the wp-content from the extensions directory.