Hi, i am a Cyber Security Professional.
Most times i come across websites and i detect loop holes, usually they are mistakes from the web developer.
1. If you're using PHP, i guess you've made an upload page or script to transfer files to the server? but they.. did you remember to filter?
Reasons why you should Filter your uploader script (a) A bad guy could transfer a Web Backdoor(Virus) to your web server and get FTP or more access to your files and credentials such as database, cPanel etc.
How do i filter my PHP Uploader?
NB: I dont know how you code but i hope u grab.

<?php
$allowed_extentions = array(".jpg",".png"; //This are the allowed types
$filename = $_FILES["image"]["name"];
$check_extension = substr($filename, strpos($filename, '.'), strlen($filename)-1); //This removes the (.) before the file extension
if(!in_array($check_extension, $allowed_extensions)
{
   echo $check_extension.' Is not an allowed type of File';
}
?>

Now with that block of code, we have just prevented shells, backdoors, from being uploaded to your website..

---

2. I guess you've heard of Cross-site scripting (XSS),
it is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into webpages viewed by other users.
Now how can XSS affect you? not even you, your users!!
You could loose Audience, lemme get to the point..

<script>alert("THIS IS A JAVASCRIPT CODE";</script>
Mostly these codes are executed on a $_GET(method of processing information) parameter, in PHP i'll show you how to protect your self.
[code]
<?php
//I'll write a function to prevent it!
function kill_xss($kill_xss)
{
  $parameters = array("<script>","</script>","<",">"; //Add more here
  $kill_xss = str_replace($parameters, ' NOT ALLOWED ', $kill_xss);
  return $kill_xss;
}
$test = kill_xss($_GET["xss"]); //replace this with your $_GET parameter
if($test)
{
	echo $test; //this is just for testing
}
?>

3. SQL injection, as the name implies SQL(Structured Query Language).. we all know that you are the only one who can execute queries either from phpMyAdmin or mysql shell.. hmmm but this vulnerability can allow an attacker run such queries and steal your credentials, how do we prevent this? and how does it happen..
EG: A web developer writes a code to fetch some information from the database using a $_GET paramter(might be and ID) and he/she did not secure the input this could happen: 
SQL error: There is an error in your SQL statement in line .....
If an attacker see's that, he can have access to the database by injecting few queries, lets protect this!
With PHP once again!
[code]<?php
$id = intval($_GET["id"]); //This removes any other string apart from a numeric value
?>

instead, use MySQLi_Real_Escape_String(); or go for PDO

Thats all for now, drop your comments more on the way

The last Image is edited and not real.

Nice one