1) Use IP restrictions for the /administrator/ and /xmlrpc folders to ONLY allow access from where it needs to be accessed from. This is setup in the server outside of Joomla. Apache uses .htaccess files, IIS does it differently but the concept remains the same. Also, turn off xmlrpc from within Joomla if you dont need it.

2) Remove plugins and modules that you dont use. If you dont use them, they are not kept up to date. As a result, known vulnerabilities can be easy to find and exploit by the bad guys (and gals). Keep the modules you do use as up to date as possible. That goes for the Joomla base as well. The day a security update comes out, drop what you're doing and go apply it. (you are on the mailing list right?)

3) Use a login alert attempt type of plugin for backend and/or frontend access. Plugins exists that can email you when someone is trying to log in to the site and fails or even passes. Remove the use of remote password reset.

4) Don't run in legacy mode if you dont have to. If you do have to run in legacy mode, change things so you dont have to anymore. It's time to move on from those old mambots and templates.

5)   Despite your best efforts, your Joomla site may still get hacked. MAKE BACKUPS AND TEST THE RESTORATION. Chances are if you dont have a current backup, you will get hacked. If you are prepared then as luck would have it, you'll probably will never need the backups. Life is funny like that huh?

On an interesting side note, I have run virus scans on backups only to find that previous hacking attempts had infected files with PHP backdoor type bots. For giggles sometime, try running a virus scan on your backup to see if it is clean. Symantec was the tool that had reported these infections to me.