The basics of security
Before throwing a huge list of "to do's" at you, I would like to bring some structure to the matter (because I don't want you to overlook the most obvious reasons for security-breaches).
When you are developing a website, (hopefully) you are educating yourself about how to do it safely and how to implement basic aspects of security. This can be quite complicated at times.
But before diving deep into the technicalities: what about your environment? Are you operating in a safe spot? Have you protected your machine well enough? And what about your house (or your office)?
Keep the gate closed
Not an advertisement, but looks like it
List of possible causes: ↑
Internal causes
- Misconfiguration: in 2021 no.5 in the OWASP-top 10 security-risks-list
- None-standards-compliant coding
- Insecure coding
- Poor home/office-security
- Accidental errors: exposure, publishing and uploading of sensitive assets
- Deliberate asset-sharing (insiders)
- Inside hacking / security breaches
- Software-, hardware-, file theft
External causes
- Hacking
- Zero-day attacks
- Phishing
- 3rd-party includes
- Rogue 3rd-parties
- Software-, hardware-, file theft
- Social engineering
- Hardware interchanging
- Networks
Unknown causes
Mostly the cause of a security-breach becomes known after investigations, but sometimes it doesn't: needless to say that this is a real nightmare. If you do not know what caused it, you can not be sure it doesn't happen again; ofcourse: you can build a new system from scratch to be sure that old unknown vulnerabilties do not exist anymore, but what if the reason was a user with malicious intents? This person might do the same again in a completely new environment.
There has been several databreaches in the past of which until today we do not know what caused them: sensitive information about users of a gambling site, a genealogy website, a health-care system, a people finder, smart-phone applications and more have been compromised in the last few years.