* I'd guess most important is server side programming.  Protect all possible incoming external variables (post/get/request data.)  It seems variables that eventually find themselves into a sql statement are especially exploited.

* User submitted content has a similar issue.  If your site allows users to submit content which is later displayed on the site be sure your site's programming protects against user submitted javascript code.  Javascript code has access to website user credentials.  This can allow for the hijacking of user accounts including the administrator account if a user were to log in and visit a page containing hacker submitted javascript.

* Be aware of files that may be inadvertently available from a web server.  Data files, log files, account files, config files, development versions of sites.

* Keep your server and workstation software updated. This includes your framework, application, plugins and OS software.  Stay up to date with security news on the software products in use in your production.

* Be very careful which websites you visit with development machines (even mainstream sites can become infected.)  Perhaps avoid using a windows based machine for development if you're using it for casual/social browsing.  Limit the development machine's scope to absolutely what is necessarily to accomplish it's daily task.  (Consider using a browser in a virtual machine if you must visit many websites.)

* Never access your accounts using a computer which you do not manage.  (Like a friend's computer or a computer in a hotel lobby.)

* Never access accounts using any computer (even computers you manage) from a public hotspot unless you are using https, ssh, vpn or some other end to end encryption system to access the account.

* (Never and I know this is a challenge but it is important,) never use the exact same password for important accounts.  When creating a casual account never use password that is even close to the password of an important account.  One method is to create a password system.  A system that uses a base rule and modifies the password slightly but non obviously based on the name of the account or service you are signing up for. 

* And lastly be careful what you share and with whom. One bit of knowledge may lead to another.  Many hacks are 'social hacks' and involve direct communication.  This type of attack can involve misrepresentation to gain information like security pins, names, phone numbers, email addresses, account numbers, and ultimately passwords.  

When it comes down to it... hacking is largely about who knows the system better.  You or the hackers.  Know your system :)