- Brute force dedection should be enabled.
- Cache directories should be secured.
- Captcha's should be enabled and required for anonym users to avoid spam.
- Code Injection should be prevented.
- Cookies should NOT be used to store passwords and sensitive data.
- CSRF should be prevented.
- Directory listing should be disabled.
- File Inclusion should be prevented. Use white-list/black-list and validation model.
- File uploads should be enabled just for authorized users.
- Firewall should be enabled.
- FTP Uploads for anonym users should be disabled.
- PHP system-shell functions(system, exec, dl, shell_exec,...) should be disabled.
- Register Globals for PHP should be set to off.
- Safe mode for PHP should be on.
- Sessions should be used for authentication.
- Session Fixation should be prevented.
- Session hijacking should be prevented.
- Source Code should be hidden.
- SQL Injection should be prevented. Use filters or install apache-modules like modsecurity or suhosin.
- Temp directory should be secured.
- XSS should be prevented.
Read this documents for detailed information: http://csrc.nist.gov/publications/nistpubs/800-44/sp800-44.pdf http://www.owasp.org/index.php/Category:OWASP_Guide_Project
use professional applications like drupal, joomla, wordpress, phpbb, vbulletin.
use secure frameworks like zend, symfony, cakephp etc...
seperate design and code, update your core system.
follow security news, bugs etc...
use hard passwords
secure your tool-directories like phpmyadmin etc
Don't use PHP (important)
Instead of bothering everyone with CAPTCHA you should implement something smarter.
Use bayesian filters and blacklists - there are open source projects with ready solutions. Or use Akismet/Defensio if you don't want to maintain one yourself.
For small sites there are tricks with CSS/JS that can replace CAPTCHA.
Amateur coders use mysql_query() and try to assemble SQL queries by hand. Quoting the parts is often forgotten, that's where the problem comes from.
Professional programmers use PARAMETERIZED SQL instead. See PDO and ? parameters.
"Filters and Apache modules" are not a solution. Obviously providing newbies with magic_quotes and other workarounds, hasn't exactly led to better understanding. As showcased here.