1.The first rule is too keep your password secret! I won’t say “Never use the same password twice”, but try to use different passwords for you control panel login and your configuration files, for example.
2. Whenever you give your code to a friend or post it in forums, don’t forget to edit your private information, especially if it’s a PHP file that has your MySQL login information.
3. Place blank index.html files in your directories, your index.html file doesn’t need to be blank though, you can put a 
in it to make it special. 
Now your visitors won’t be able to access all of your files in that directory.
4. Check your PHP scripts regularly. Make sure you have the newest versions of any programs you’re using, otherwise they’ll give you an error and show the path to your file and your login information and sometimes they’ll even show your password, so try to avoid that.
5. Never use the mailto: function or put the whole email address, like email@hotmail.com. If you want to display your email on your page you can make an image or put something like email[AT]hotmail[DOT]com.
6. If you have any files (pages/scripts/images) that you aren’t using - remove them!
7. Do not advertise your site everywhere! If you want to plug your site or sign someone’s guestbook, make sure you like their website. If you have a stange feeling, then you better don’t advertise your site there.
8. Make sure you have a .htaccess file on your server, in case you want to block someone’s IP or password protect something. If you don’t have one, ask your host or make one yourself (but ask your host first).
9. It’s always good to have a robots.txt file on your server. It prevents the robots/bots from reading your directories.
10. And finally, download backups regularly! This is very important. Even if you have a paid host that is really great, don’t forget that anyone can be hacked, so make sure you download a full backup at least once a month.
Good luck!
