Why You Need to Keep Your Web Site Up to Date
The biggest security threat to any Web site is to allow the software it runs on to become out-of-date. This applies to hosting as well as the specific software that any site may be running. It is important to use a host that has a good security track record, as well as a knowledgeable staff who stays up to date on industry trends and software. If your host is running out-of-date software and can't explain why, it is time to find a new host.
Upgrades: Why and How
For Joomla! sites, it is important to subscribe to the news and announcements regarding new releases and any security issues that may have been addressed in the new release. When a new release is issued, it is important to update your Joomla! site as soon as possible. Although some past releases have contained issues that affected existing sites, critical issues are typically fixed quickly with a new release. One thing to check is the developer's site of any extension you may have installed and any issues their extension may have with a new release. If an extension has an issue with a new release of Joomla!, contact the developer and inquire as to when their issue is going to be resolved, and then update both your Joomla! site and the extension. As was mentioned, Sam Moffatt's Update Manager extension is very easy to use and is an excellent way to keep your Joomla! installation up to date.
A number of extension developers include notifications about updates that are available. It is good practice to keep informed on any updates and news regarding the extensions you use on your site. Subscribe to the mailing list, forum, announcements, or news feeds that the developers may offer. When an update to an extension is announced, it is important to update the extension, especially if there is a security issue involved.
As always before updating, be sure to take a full backup of your site's files and database. Do not rely on any backup system your hosting provider may offer. Ultimately, it is your site, and backups are your responsibility. Set up a schedule to take regular backups of your site depending on the rate of change your site goes through in a typical month. If you update content daily and have an interactive site that is active, it may be best to at least get a daily backup of your database and a monthly backup of your site files. If your content doesn't change often, a monthly backup of your full site and database will most likely be sufficient. Be sure to store your back up files off-site. Download them to a local hard drive or disk or store them in a different online location.
A relatively new initiative for the Joomla! project is the Vulnerable Extensions List (VEL) located on the Joomla! Official Documentation wiki at http://docs.joomla.org/Vulnerable_Extensions_List. This initiative was started by a team of interested users who wanted to track vulnerable extensions and has been a valuable asset to the community. You can subscribe to the page's news feed to stay updated on vulnerable extension reports and get extended information on resolutions or ongoing issues.
Any extension that is no longer supported by the developer, as well as any extensions that you are not using but may have installed, should be completely removed from your Web site. Check to make sure that all related files for any extension that you have uninstalled have been properly removed from your site, because leaving these orphan files on your site could expose your site to a security vulnerability.