Logging and logged in users

If you log all attempted access to your site you could also analyse that data to prevent hacking attempts.  If one person tries to log in to your site 50 times in three seconds it is probably not a genuine user.

When allowing uploaded files or text only allow this for logged in users and log their uploads.  Also perhaps block too many quickly repeated uploads from the same IP address.  All this is possible by writing $_SERVER information to a log file or database and then using it in if statements when new stuff is uploaded to your server.

File permissions and ownership

If you understand that heading you will realise that it is possible to allow only certain people to do certain things with files depending on their permissions.  Any uploaded files will need to be available for transmission over the network (so users can see them) but you may want to prevent execution because otherwise the user could uploads scripts and programs (such as viruses) and run them on your server.  On a hosted server this will have been done for you.  If you have your own server change the permissions of all uploaded files to 600 or equivalent (owner can read and write but not execute the file) after upload.  If you do not know what that means then consider not running your own server!

The owner of all Web files should be the Web server. For example Apache has a user www-data which is used by the Web server but cannot do anything else on the computer. All Web pages will be owned by that user.  The Web page owner (the server) will have permission to read, write and execute the pages. No one else should be able to do anything with them as the server will pass them out over the network when needed.

On a Linux server use chown to change the owner and chmod to change the permissions to 700 for pages (600 is for uploaded files only as 700 is needed to allow the PHP to execute).