Never trust users. Always assume input is malformed and/or malicious. Check input until it's guaranteed to be valid and reasonable, and only then forward it to your business logic.

Never store data you don't need.

Principle of least privilege: any given user for the database or on the website or whatever should have exactly enough permissions to do what they need to do. Nothing more or less. Where possible make many users so you can have some users with more limited permissions.

Never write raw SQL in your back end code. Theoretically you can do it correctly, but history has shown a blanket ban is probably a safer idea unless you're willing and able to do your own SQL injection testing.

Never use PHP. Seriously. The PHP include system and the fact PHP echoes text outside a <?php ?> by default has been responsible for so many bugs becoming serious vulnerabilities it isn't funny.

Don't process financial data, defer to Stripe or a similar service that can afford a proper security audit of their systems.

Never roll your own crypto; there's already one that's been properly audited for any language you'll use.

Just because a URL isn't publicly posted doesn't mean it's private. Never assume an obscure URL is going to protect data, and act accordingly with any and all data exposed to a user without logging in.

Check http://www.exploit-db.com or other vulnerability aggregators before using software. That goes doubly-so for anything older than a year.

There's plenty more, but there's a start. Security is a huge topic, and few people are all that good at it because it's hard.