Security is a major part of any web-hosting operations. Interestingly, most of due diligence can be exercised by the client himself. I'll just jot it down in points what can client can and should do w.r.t. Security Settings.

1. Folder Permissions - Ideally a permissions for a folder should be 755 (http://en.wikipedia.org/wiki/Filesystem_permissions) and for a files it should be 644. Problem arises when 777 permission is given to a folder. We understand that for file uploading functionality to work, 777 is required, but without adequate checks in the file uploading code, this feature can easily be misused. If at all 777 permission is to be given to a folder where non-php files are to be uploaded, you should disable PHP/CGI from the concerned folder by putting a .htaccess containing following lines of code
   
   php_flag engine off
   options -execcgi
   
   
2. SQL Injection Attacks - If you are using some kind of Framework/CMS, chances are that this aspect has already been taken care off, but if you are doing custom coding, MySQL data needs to be escaped before being passed on to mysql functions. Refer to http://www.php.net/manual/en/mysqli.real-escape-string.php
3. Wordpress Comment Spam - At Pack Web Hosting we have seen several Wordpress installations loaded with comment spam. This can easily be prevented by using reCaptcha Plugin. Details at - http://www.packwebhosting.com/content/preventing-wordpress-comment-spam-recaptcha
4. Keep your local PC Virus & Malware Free - Virus & Malware on the local PC is the most common attack Vector used for attacking websites. Especially with stored passwords in various applications, this problem is further accentuated.
5. Passwords - It is something of which most of you are aware off, but still it has to be underlined that weak passwords pose the biggest threat to your websites. An ideal password should be at-least 9-12 characters long with some punctuation signs.

There are even more Caveats, but that we would handle in some another post