Joomla is good right from the start when installed on a properly configured web server. They should be set but make sure that all of your files CHMOD to 644 and your folders to 755. There are some exceptions to this rule like the configuration.php, which will CHMOD to 640. Ensure that nothing is set to 777.

The default administrative username is "admin" You should change this to something else. It will make it a little more difficult for a hacker to discover account details.

The time to consider an incident management plan is before your site is hacked not after, so take the necessary time to outline what will happen should you fall victim. As the saying goes, "Back up early and often." When this step is well-planned it takes a lot of the pressure off your shoulders should your site be hacked. Make sure back-ups are done daily to ensure you can restore your site without significant downtime or loss of data. This will allow you to focus on the real problem of how your site was penetrated.