Using a quick start package may be the quickest way to get a fully set up , add your content site. but are you aware of the dangers.
we tested several quick starts from major providers ranging from Template developers and extension developers who include a ready to go version of Joomla.
We found that there were varying degrees of insecurities. None of these packages are plug/play/forget.

The most common issue and vulnerability was the use of out of date version of Joomla. When (at the time of writing) Joomla is 3.5.1 we found the worst case was 3.3.1 with several security vulnerabilities. Possibly the worst one was an extension developer charging for a download that included 2.5.29

The Vulnerable Extensions List team is looking for new members.

Those interested:
Must have:

A proven record of assisting the Joomla community.
Converse confidently in English.
Be able to test POC where applicable.

This volunteer role requires only a little commitment but does require a lot of discretion as you may be dealing with exploits that will affect the joomla community as a whole.

If you have not applied to us before; please complete the linked application form.
Please contact the developer for more information

 

This is not always due to a hack, mostly, it is a site administrators failure.

I have had a spate of new Users appearing in my User Manager.
I am the only authorised user on my sites (Super User) - so how do these idiot spammers get in; and how to block them in future?

 I've received email messages from my website,  telling me that a new user has registered.

1. There is no user registration form on the website
2. These appear to be hacks

The symptom checklist is as follows:

One of the requirements to get your vulnerable extension marked as resolved is that you publish a security release announcement on your website. However we have noticed that developers often seem to have trouble with understanding what this means.

So what does it mean? We do not have a standard format for this, however we do ask that any reasonably intelligent person reading the notice would understand that there is a new version available, that it is a security release, and that users need to update. Moreover this information should not be buried at the bottom of a page listing all the wonderful features of your extension. You can see a good example here for Joomla. You will note the use of the eye-catching graphic. You will note also that the very second sentence says:-

This is a security release for the 3.x series of Joomla! This release fixes two low level security issues.

The combined effect is that the reader will be in no doubt that it is a security release.

 

Recently an issue was reported to the Vulnerable Extensions List team, which affected the blogging platform for Joomla, Easy Blog. After some thought we decided that it did not fall within the normal definition of a security issue that would merit listing on the VEL. It was reported to us by a site owner whose site had been hit by an unusually sophisticated spam attack: the spammer was taking advantage of Easyblog and Joomla default settings, the result was that they were able to set themselves up multiple accounts as bloggers and create blog posts containing spammy links. In this case these links ended up getting indexed by Google, even though they would not show up to a normal visitor to the site.