Server Level
- I'm using a managed hosting setup so the server security is fine
- Also a site scanner / malware scanner
- Backups are scheduled every night for the server
The main concerns are with the Joomla itself. Here's what I have setup already:
- RSFirewall Plugin - blacklisted countries I know we don't need traffic from, have an additional password before the user login, critical issue email updates, and the usual default system/db checks
- Joomla is always updated to the latest version, and running the most recent reliable PHP version.
- Akeeba Backup is installed for remote backups of files + db to Dropbox.
- User accounts are limited to only 2 users who manage the site, and the passwords are already very secure (20+ characters with symbols/letters/numbers etc)
- Plugins are updated frequently, and the ones we don't need are removed.
- No possible front-end input - the contact form even is hosted separately by a form provider e.g. Jotform / Typeform. Much of the website is static and mostly hosts information.
- SSL is of course set.
Would really appreciate thoughts, and thanks!