Open source of course does not mean everyone can access everything! The UK government made a clear guideline which states that “Open source, as a category, is no more or less secure than closed proprietary software”.
Like with a safe, you still need the authorisation and the key(code) to see what's inside. And Joomla! is not an easy safe to crack. Unless you put it in a shady neighborhood with a note on it how to open it.
Hackers can be anywhere
So you do need to keep it safe. The webhosting and the people working with it play an important part. Hackers are everywhere and online developments are going fast. Vulnerabilities are found sometimes, like with all software, but usually the security fix is available before anything is published about it. The power of the large Joomla community in this case makes sure updates are available on a regular basis.
Yes, you do need to install the latest security updates as soon as possible. It's really not that hard or it shouldn't be. If you don't update, hackers will automaticaly find your insecure site by looking for known vulnerabilities.
Your Joomla website is put on a webhosting server that obviously is connected to the internet. There are thousands hosting companies or resellers that offer this service. But the costs and quality of these services differ very much. For your website to be secure, they need the follow standards and procedures as well. If not, anything on their servers is unsecure, whether its Joomla, Wordpress, Drupal or whatever other web application.
A big advantage of Joomla is the fact there are thousands of extensions available to add functionality. Most can be found on the Joomla extensions directory: https://extensions.joomla.org/. This does not automatically mean they are safe and secure. Check the reviews and the last updates to see if there is active development and, if security is a real issue, make sure an expert checks the code for flaws.
With regards to security, extensions are a known risk. For every extension this means it should also be audited for security issues, maintained and updated. If a vulnerability is discovered the extensions will be punt on the Vulnerable Extensions List: http://vel.joomla.org/
But not every developer cares about this so this means uninstall as quickly as possible. But if they do care just make sure it's updated.
Of course it's not safe to install software from an unknown developer or origin but some users do it anyway.
Like with most systems the biggest threat to security are the users themselves. Besides carelesness with maintenance, security updates, webhosting and extensions they can leave that password note lying around or have a password that's easy to guess. As administrator you can take many measures against this, but not everyone does.
Joomla comes with a built-in Two-Factor Authentication system that secures your site login with a secondary, single use secret code. This means you need an extra code, coming from a Yubi key or smartphoine, besides your password to be able to login. This is not always practical but definitely a best practice for administrator accounts.
When a hacker manages to "breach" the system, anything can happen to the website, depending on their intentions. But what they do is not always visible on the front-end.
This makes it a good idea to monitor the website in more than one way. Are there many attempts to login? Are files added without authorisation? Are files added that are suspect?
There are several tools to monitor the website. Your webhosting should use these but they can't always help you with the specifics of Joomla. Find your Joomla expert to help you with this.
After all of the above, when something goes wrong, you still have a working and tested backup, right?
Conclusion: Six best practices for a safe Joomla website
Always make sure the latest security updates for Joomla and it's extensions are installed;
Monitor your site for suspect changes and files;
Don't install extenstions without investigation first;
- Use certified, reliable, trustworthy webhosting services;
Use the policies for safe passwords and two-factor authentication for administrators;
Make sure backups are made regularly, test them and keep them safe as well.