You should have a solid plan for your website before you even begin coding. How will your database be laid out? How will you organize files in the file system? What naming conventions will you use? Will you have multiple developers, and if so what coding practices can you all agree on? Will it be procedural or object oriented? How will you roll back if something breaks? Follow each question with another question: Why?
If you haven't noticed, the code examples in the PHP manual all follow certain guidelines. Coding conventions were put into place not just to help others read your code, but also to help you write code securely and efficiently. Your coding style may differ from those published as some sort of official standard (such as the PEAR Coding Standards), but really think through how you write your code. The key is to maintain consistency so errors are spotted quicker and maintenance is easier. Find a style, and stick to it.
Basically the point I'm trying to get across here is to use common sense. Initialize variables, keep up to date on bug fixes for any third-party code, and so on. Don't write 100 lines of code that could be done in 20, be direct and to the point, simpler is better. The moment you start getting lazy or writing quick hacks to fix something, is the moment you become vulnerable to attack, and you're one step further away from that perfect dream project you've been waiting for.
Balance Risk vs Usability
Another popular topic... The most secure website in the world would be one that nobody could access, because it's offline. You need keep your applications secure, but you also need a user-friendly experience otherwise your visitors will just get fed up and leave. A good example here would be captchas, where a website makes you type some very hard to read letters and numbers seen on a picture, to prove that you're a human being. I understand how these are useful, but if it takes a human 5 or 6 tries to get it right, then it's probably overkill. Another problem with captchas are accessibility issues for users with special needs.
Hashing
This goes back to the idea of having control over your applications, but no control over the administration of the server. What happens if an attacker does end up compromising the server that your website is hosted on? Even more important, how would you know? Having your own personal backup files would of course be a good idea. Another idea would be to have a system that lets you know if any of your files have been modified by anyone other than yourself. Encryption, which is not only good for protecting passwords and sensitive information, can also be used to save the hash values of files. Check out md5_file() and/or sha1_file(). Basically the idea is to periodically check the server for changes by comparing hashes, and if any file was modified you could have the script notify you of when and what was changed. There are several implementations of this concept already in place, so examples shouldn't be hard to find.
