Afaik, escaping variables in SQL queries (for example, through placeholders in PDO or something like that) and escaping the output text through htmlspecialchars (if you need any tags, you can always make a replacement through preg_replace or embed bb codes). Well, what about the little things - check if register_globals is off, check the Referer header in requests, etc. Most of the holes are just programmers' inattention :-)

Nizamutdinov M.F. — Tactics for protecting and attacking Web applications.
Various methods of hacking and protection are described. I recommend.

And for what purpose are you interested in such a nickname? :)
Even if there are no vulnerabilities in the code of your site, they will be in the server software. And if it is very necessary, then you will be stupidly questioned and will not suffer from hacking.

forum.antichat.ru
if it’s good to dig there, then all the banal ways of hacking are described there, but even if you protect yourself from all of them, you will be hacked unbanally.
There are always vulnerabilities, you need to make sure that the cost (not necessarily measured in money) of hacking does not justify the goals of hacking.

There are three levels of hacking:
— physical hacking (the server was stolen),
— system hacking (the server OS was hacked),
— script hacking.
As far as I understand, level 3 is of interest. You can read about it in the magazine programmer №11 (http://procoder.info/index.php/dl/issues/2011-/-/29--lr-11/download)
In principle, normal server settings and strict filtering by white list.

There used to be a whb where you could ask people to test your site for vulnerabilities. Unfortunately closed.

Lots of useful information on vulnerabilities: www.owasp.org/index.php/Category :Attack

monitoring first

If the project is commercial and/or rather large, then it makes sense to use specialized solutions. They are called WAF - WebApplicationFirewall. They are just designed to protect web servers from attacks on the application (web scripts) and on the server / service itself. Some vendors are combined with IPS, some have a separate, specialized product.
From the “WAF on my own” options, I can advise you to try mod_security for apache. For php projects there are phpids .

set up a server… 10 years have passed… vacation!
In the middle of the vacation, it turns out that on two sites there is some kind of iframe for some non-working site.
find -mtime -10 showed a lot of interesting things, database error logs - a child prodigy who had been hammering (and still punching) into a small hole for two days ...

Vulnerabilities can be conditionally divided into levels at which they are located according to the OSI model.
1) OS network stack vulnerabilities
2) Ports opened by mistake (DB sticking out without authorization).
3) Vulnerabilities associated with the operation of application protocols due to outdated software versions (ssh, ftp)
4) Weak passwords (For ssh, ftp, mysql).
5) Vulnerabilities in web applications (OWASP TOP 10)

There are also a lot of hacking methods - from banal CSS injections to dancing with a tambourine.

Are there any resources or books that clearly teach how to secure a site?

I advise you to read the OWASP Web Application Security Guide It describes web vulnerabilities in detail and how to check them. For each individual vulnerability and for each individual type, there are different utilities for checking.
You can start with Nmap to determine open ports, then check SQLmap ( Description on GitHub ) and further down the list. After the discovery of specific vulnerabilities, it is already possible to take on their elimination. For example, use filtering features or set up a cookie policy.
There are also special resources that can check most of the vulnerabilities at each level - vulnerability scanners. Here are a couple of good ones:
https://metascan.ru/
https: //acunetix.com/
https: //detectify.com/

And it is not always clear how to patch this or that gap.

Try to follow the security setup guides for the applications you use. This will save you from major security issues.