1. No public facing website or server can be 100% secure or we wouldn't hear about the Department of Defense and MIT having their systems broken into.
2. While you can generally improve any site's security there is always something to miss that will be missed as if Murphy's law didn't apply to code.
Follow these steps to ensure your Joomla site is secure:
A. Choose a professional web hosting provider. Not necessarily RackSpace but not a host with an empty knowledgebase no contact phone number and no forum either. They should be able to sell you an SSL certificate and install it for you. Ultimately, your first line of defense against malicious users is the vigilance of your webhost in making updates and keeping platforms upgraded. Sloppy and unplanned server maintenance can ruin your hard work very quickly.
B. If you record sensitive personal information with your site or engage in ecommerce then get an SSL certificate. Without it you are playing Russian Roulette with your clients sensitive data.
C. Set your directory permissions to 755 recursively and your files to 644.
D. Change the default admin accoutns username form the default admin. This gives a hacker 1/2 of the info needed to login. DO NOT USE DICTIONARY WORDS AS PASSWORDS! Use pass phrases whenever possible.
E. Use php.ini and .htaccess to ensure important settings such as register_globals off etc. refer to list below and sample.php.ini.
F. Before you install a component, module or plugin check the vulnerability list:
http://docs.joomla.org/Vulnerable_Extensions_List to see if what you are getting ready to install will compromise your system for you.
G. Force the type you want
Basically, if you are expecting an integer, force it to be an integer (or a float). So, if you have a variable that you are expecting to be an integer, cast it to an integer... For example:
$sql = 'UPDATE #__mytable SET `id` = ' . (int) $int;
If you want to insert a date, then use JDate, and it'll give you back a valid mysql date each time...
$date =& JFactory::getDate($mydate);
$sql = 'UPDATE #__mytable SET `date` = ' . $db->quote( $date->toMySQL(), false);
H. ALWAYS escape your strings
Well, anytime you take a string from user input (I always escape everything from a variable, it's extra insurance), you should escape it using:
$sql = 'UPDATE #__mytable SET `string` = ' . $db->quote( $db->getEscaped( $string ), false );
Notice that we're using 2 functions there. One escapes the string, and the other wraps it in quotes. If you've noticed the second parameter for $db->quote() is false... If you leave that out, or set it to true, then it'll escape it for you. So that string becomes:
$sql = 'UPDATE #__mytable SET `string` = ' . $db->quote( $string );
I. Prevent DOS attacks
In a where clause, if you use a LIKE command, you can have a DOS vulnerability by not escaping the special wildcard characters % and _. Joomla has a facility to do this for you! $db->getEscaped can take a second parameter which will escape those characters for you. NOTE: You only should escape these for strings used in a LIKE comparison. So:
$sql = 'UPDATE #__mytable SET .... WHERE `string` LIKE '.
$db->quote( $db->getEscaped( $string, true ), false );
J. Preventing XSS Attacks
Most people just get data using JRequest::getVar()... But there are a whole bunch of other methods that exist which actually force type much better. Here are some those methods:
For Integers:
$int = JRequest::getInt( $name, $default );
For Floats (decimals):
$float = JRequest::getFloat( $name, $default );
For boolean values (true/false):
$bool = JRequest::getBool( $name, $default );
For "words" (only allows alpha characters, and the _ character)
$word = JRequest::getWord( $name, $default );
For "commands" (Allows alpha characters, numeric characters, . - and _ )
$cmd = JRequest::getCMD( $name, $default );
For NON-HTML text (all HTML will be stripped)
$string = JRequest::getString( $name, $default );