Three Principles: Defense in Depth - Redundant safegaurds are valuable. Least Privilege - grant as little freedom as possible. Least complicated - Complexity breeds mistakes. (From Shiflett's Evolution of Web Security) Trust Nothing, Assume Nothing Server Side Security Install Suhosin patch. Be smart about your passwords. Disable register globals, magic quotes,etc. Never run PHP/Apache/Nginx/etc as administrator. Keep up with Patches.
SQL Injection , XSS , CRSF , Security misconfiguration and CSSLP