There are several common website security threats:
Malicious software can be used to steal passwords, hack into ill-secured websites or computers and so on. If your site allows uploads, keep in mind that uploaded files may not always be what they seem. An anti-virus software is needed to check the files.
Lack of data validation. All data used by the website should be validated in terms of form and length. For example, Name fields should validate characters and number fields should validate numbers, e-mail address field should check for a valid e-mail address form (email@example.com) and so on. Input and output data validation can help against data poisoning.
Inside theft. If you are a company, keep in mind that a disgruntled employee can use the data for attacking the website. Change your passwords after firing someone, or immediately cancel all addresses that no longer apply.
Careful what you store. SQL injections and other exploits can be used by fraudsters to extract sensitive data form your website’s databases. To avoid this, do not store sensitive data such as credit or debit card details.
Automated hacking. A large number of bots (software that run automated tasks on the Internet) is crawling the web looking for vulnerable websites. While the main bot attack techniques are easy to avoid, the web developer has an important role to play in making your website immune to all automated hacking attempts.
Data management. If you are a business with multiple computers and employees, special emphasis should be put on this. Access management and network computer security (ensured by anti-virus and security software) should always be seen as key factors.
SSL and encryption should be used especially if the website collects information from individuals that interact with your website. The first acts as a secure connection layer, and the second is important for the security of personal data.
Cross-site scripting attacks are a very common hacking method that uses any field on the website when user can input text. Most web developers should know about the vulnerability and build a secure website accordingly.
Authentication management and session management should be taken very seriously, because if not done properly they could result in vulnerabilities allowing a user (hacker) to alter information or access information they would not be allowed to.
If possible, use FTPS instead of FTP. FTPS (File Transfer Protocol Secure, or FTP Secure) adds support for TSL (Transport Secure Layer) and SSL (Secure Sockets Layer) encryption protocols thus strengthening security and control over FTP access.
Use a version control service to help with identifying the versions of you website and rollback to a version you consider safe, in case you suspect an attack on the current version.
See also “My website has been hacked – what should I do?”