No matter what are the precautions to take, your website could be under an attack. If you have made sufficient arrangement of such scenario good enough, But XSS is not just the only exploit that your web site might vulnerable to. There are hackers who are more of social engineers than crackers. They play with your mind than finding vulnerability in your web site. Here is a typical example.
Saturday, evening you receive a mail regarding an issue with your website from your webhost as follows
Your site www.sitename.com, has been tried to be hacked. Though, It was not a successful attempt because of our firewall and security system. Still we suggest you to login to your administrator panel, and revisit the possible exploits (under Current vulnerable tab) and take necessary action to prevent future attacks on your site.
Follow the link to your administrator.
It was Saturday night; you have enough time to figure out the issue, but you can’t ignore it. So without delay you followed the link provided in the mail above. Tried your credentials, it did not work for the first time. Then you typed every letter very carefully, It failed again. This time you became more careful providing the credentials. After a successful attempt you now see your administrator panel , but you did not see any tab named current vulnerable. You are now baffled, did google around and shoot a mail to your host clarifying your doubt. And the next moment you see your website it says you are just hacked. Still confused. Read on
What just happened is, you got fooled.
First of all, the mail you got is not from your host. A hacker aimed your website, so he collected information about your hosting company and drafted a nice mail as above. And send to your mail. Even though the mail lands on your spam box, you can’t ignore it because it does came from your webhost company. The link it provided surely matches the link to your websites administrator link and upon taking your mouse cursor on to the link your browsers status bar point to the administrator link (just for making sure it will land you to your administrator page), So you followed the link. But less did you know, when you click on the link it landed to a different website, but the similar look and feel as your administrator login. Not a big deal, everybody knows that the administrator link of a Joomla website and how it looks like. So the hacker successfully took to his created decoy. How you got tricked here is very simple, your mind is at fixing the problem at the earliest and you did not see the link in your address bar while providing the credential.
The story continues. The hacker’s website, has recorded your credentials twice (two attempts) and then redirects you to the actual (your own) administrator link. There you provided your credentials which succeeded and lets you to log in. Then you know the rest of the story. You are actually not hacked when you got the mail, but now.