Sanitise user input before sending content to database
Use addslashes() to add a "\" to all special characters before user input is sent to the database. This will minimize the risk of a cracking technique known as SQL injection in which SQL commands are inserted into text to change functionality. Adding slashes should prevent a cracker ending SQL quotes. It is also important to ensure all numeric values are, in fact, numeric, as addslashes() cannot prevent SQL injection in this case given that numeric values are given outside of quotes.
Only allow known FileTypes to be uploaded
If you allow file uploads in your website you should ensure you only allow types known to be safe. If you do not the user could upload a PHP file with their own commands and give them the same level of control as any other PHP file. Additionally, if you wish to allow upload files of questionable format safety, such as .dll, force the user to place it in a ZIP archive.
Authenticate users when an action requiring their credentials is to be performed
While sessions can be useful for storing login data, and your application should verify credentials when the user logs-in to ensure you warn them of an incorrect password, remember that given that the PHP session functionality is stored in a cookie, authentication at that point is for the sake of the user, not security and should not be trusted as a valid login. You should authenticate users from login data stored in sessions each time such an action is to be performed and confirmation that a user has been sucessfully authenticated is with variables sourced from that page. Additionally you should remember to perform addslashes() each time such data is retrieved from a client-controlled medium such as this.
Remove HTML tags from any data displayed on a page
It is vital that all HTML tags are removed from data displayed on pages. If this is neglected, what stops a user from setting up a redirect for admins to the URL that deleted a page?
Require sanitised password to be sent as a POST parameter to command pages
If there is a page on your website that deletes a page, it is vital that this page requires a valid password to be sent as a POST command. If you only rely on sessions to get the password to validate then a cracker can easily give a moderator a rouge link to such a URL and see the page deleted. No amount of confirmation can supplement this as a page refresh is still required.
Ensure any pages that accept URLs properly sanitise the input.
If you have a download script that downloads files from a certain directory you should prevent the forward slash being used as this could change the directory and allow the cracker to download your full PHP scripts as well as any file, probably with your database password somewhere within. I also recommended you only allow file extensions of needed FileTypes as an added precaution.
Hash and tweak all passwords to be stored
It is important that you not only md5 any passwords to be stored in a database, but also tweak them with some algorithm to decrease the likelyhood of falling victim to hash tables available on the web if someone cracks your website.
Backup your site and database regularly
Finally, it is important to backup your website and database regularly, in case you do fall victim to being cracked, at least this will allow your site to go back online, although if this happens I urge you to contact your site's security professional for an urgent meeting before doing so to ensure this does not happen again and convince your users you are working tirelessly to prevent future attacks.
Disclaimer: I am not a security expert and this page is merely intended to be an alternative to no security precautions. It is recommended that you consult a qualified security expert if you are serious about your website.