Validate every input.
Use CSRF protection for every state-changing request.
Escape output by default.
Store passwords with password_hash() and verify with password_verify().
Prefer prepared statements for every database query.