I came across this article written by a Greek EE student named Georgios Konstantopoulos.  It was published in Hackernoon here: https://hackernoon.com/how-i-hacked-40-websites-in-7-minutes-5b4c28bc8824.  It is aptly titled: “How I Hacked 40 Websites in 7 minutes”.

The key takeaways here are:

1. If content can be uploaded, take precaution to prevent any execution of data within the upload folders.  This is especially important for any CMS-driven website (WordPress/Joomla/Drupal/phpBB).
2. Make sure that any web input is sanitized.  Remember the XKCD cartoon “Exploits of a Mom“, starring Little Bobby Tables and his SQL Injection antics.
3. Make sure your webserver runs ans an unprivileged user, without a valid shell.  This is usually “www-data” or “www”.
4. Create proper user accounts and put the associated website data in them.  Don’t be a schmuck and put all your websites under a single folder hierarchy.
5. The webserver (Apache, Nginx, etc.) should run as the owner of the user folder that contains the website content (SETUID/SETGID).
6. Close/Firewall unnecessary TCP/IP ports.
7. Minimize the amount of services running on the server.
8. For CMS and other database-driven websites, (1) never use the same credentials for the databases and (2) never use the SQL SuperAdministrator/Root credentials for database access.
9. Just because you run Unix doesn’t make you hacker-proof.  Check for patches weekly.