[ Security for Web Developers ] :: 16: Best Practices

You should:

1. Change the default user name directly in the database.
2. Put files that contain login credentials outside your webroot.
3. Don’t allow writable directories. (With details….)
4. Don’t allow users to upload anything. Sorry.
5. Avoid toxic data.
6. Patch like mad.
7. Use a security notification plugin like Sucuri (and actually pay attention).
8. Change your username if the crackers find it.
9. Consider a scanning service, or at the least a scanning plugin.
10. Understand the particular security controls built into your programming language. (They all have them.)
11. Don’t write your own security controls, or your own encryption. Never never never.