If your site uses a dynamic language and a database then you need to ensure that security loop-holes are taken care of, things like:
- Session encrypted and stored in the database rather than the file system
- cross-site scripting attacks
- cross-site forgeries, file uploads (notoriously insecure as most of the examples on the web have zero security thinking inbred, form spoofing
- SQL injection
- using weak encryption algorithms
- not using a shared host - this also means not using most VPS or cloud services
- password hacking protection
- closing off error reporting or customizing it to ensure that end-users don't see what server and database technologies you are using
- you also want to stay away from using 3rd party components, but if you write your own you need to understand how to write your own secure code
- use https for everything
- separate the database and web server and maybe content onto their own servers. Use a CDN for your content.
- research your hosts thoroughly and ensure that the have an excellent security methodology that they follow, keep regular backups and have redundancy in power, bandwidth, and hardware. Research how many people have any access to the servers and ask to show proof of security clearance.
- don't upload or transfer content unless your travelling through an end-to-end VPN tunnel
- grant the fewest privileges to the fewest people possible and only grant just what they need for the time they need it, no longer.
- have a certified hacker try to break-in and provide a security audit report.
Many of these topics open up a whole bunch of cans of worms, so this is not an easy task.