Check every query for the single-quote character, and reject it. You might think I meant checking variables in queries, but I seriously meant any single-quote character in the entire query string.
This should result in an exception:
SELECT * FROM something WHERE name = 'teletubo'
Instead, ensure you use prepared statements:
SELECT * FROM something WHERE name = ?
and pass the "teletubo" string as a parameter.
This will render all those pesky SQL injections that scar the internet useless. Failling to do this will eventually lead to 1 not-quite-properly escaped input value. Don't think that escaping all user-input is fine. The developers behind SMF think that is a solution, and SMF is open to attacks along hundreds of attack vectors (I browsed the code). Anyway: make SQL injections impossible, not unlikely.
The very same rule applies to template-engines. I'm still baffled at the complete lack of sense all these template-engine developers have. They should enforce the 'escape type' to be mandatory:
IMHO, that's the only way to prevent XSS attacks. (You can drop the 'html-' prefix if you like...)
SSH security through obscurity: run the SSH daemon on some non-standard port, like 8263.
SSH security by design: only allow logins with (private) keys, not passwords. (physically print out the keys, as an ultimate backup)
As sproingie said: don't make any administrative service accessible to anybody, regardless of the strength of your password. There will alsways be bugs/security holes (or braindead SQL exceptions) in administrative software, so hardcode some IP addresses that have access to these services. If you move to a new location, login over SSH and add that IP.
Block port 21 on your server, or shutdown the FTP daemon. FTP passwords are sent in plain text over internet. It's easy to get infected by a virus, don't think your virusscanner will catch them all for you. Don't think viruses are only on questionable websites. Websites that you regularly visit, will eventually get hacked. They will likely listen for FTP traffic and steal your password. Do every file transfer with sFTP (again, with private keys).
Never reuse passwords. Don't think that it's OK for the server root password to be the same as the mysql root password. Everything must be long and unique, at least 10 characters.