Yesterday, I highlighted some of the critical Joomla security issues that you should consider. Here are a few more you should add to your list:
All of these can be set within your local php.ini directory (if your server allows it), rather than manipulating the global one for the server.
1. Use the “disable_functions” to prevent the use of some dangerous PHP functions:
Example: disable_fuctions = show_source, exec, phpinfo
2. Use open_basedir. This will limit which files PHP can opened to the directory tree specified (i.e. in your home folder)
Example: open_basedir = /home/webguy/www/html
3. Disable register_globals. Joomla will actually warn you if you have this enabled:
Example: register_globals = 0
4. Disable allow_url_fopen. This is used when you want to create PHP wrappers to open remote URLs. You can probably imagine the dangers that would create if exploited.
Example: allow_url_fopen = 0
Source: Joomla Security Checklist