Your primary goal in addressing web security should be covering your basic risks. You don't necessarily have to be at the cutting edge, the real goal here is not to be the "low hanging fruit". Here are a few tips that would help cover you no matter how your website or server is constructed.
Tip #1 - Shut Off Directory Indexing.
Index files are useful because of the information they provide and that's exactly why they're dangerous. Unless you are running a web site that's dedicated to serving out files for download, shutting off directory indexing is a good idea. You don't want someone hitting a folder without a properly configured default index file, because when they do they're able to see a full list of files in that folder. This means a visitors foot is in the door. Put simply - Directory Indexing allow outsiders to view and exploit files you did not want publicly accessible.
Use htaccess and this beautifully simple code to instruct your server to avoid indexing.
Tip #2 - Secure Select Folders
This tip applies especially to folks using CMS's, but anyone can secure a website folder easily. There are several approaches I've come cross, but I believe a well placed IP restriction is usually the best method in this scenario.
If you're using WordPress it'd be your wp-admin folder and for Joomla or Drupal it'd be administrator. What these folders have in common though, is that nobody else needs to see whats inside. Simply find which folder you want to secure, then add a file named ".htaccess", then add the following code...
order deny, allow deny from all allow from XXX.XXX.XXX.XXX
All you need to do is fill in your IP where all the "X's" are and you're ready to roll. What this code does is say - "Kick out everybody... except that one guy - he's alright". Don't know your IP? We like to visit Arul John to pick up this info really quickly (http://aruljohn.com/).
All things considered, this is a very powerful htaccess trick if you use it wisely. Basically you're forcing a hacker to spoof your IP or someone would need to be in your physical location to force access into that web folder.
Tip #3 - Use SSL if Necessary.
If secure account access or payment process is needed, you should be using SSL encryption. Setting up SSL is not ultra-tricky, but make sure you're developer knows what they're doing. A little experience dealing with E-Commerce sites tells me that this isn't something to rush through. If you secure your website properly once, you won't need to do it again. Know what needs to be secured, how the doorway will be addressed, and over engineer when in doubt. Put plainly - Measure twice and cut once.
Also - Make sure you don't allow your SSL certificate to expire. It harms your brand more then you'll know. Nothing is less reassuring then expecting to see a "lock" and seeing a "red error warning" instead.
Tip #4 - If possible - Keep your Directory Root isolated.
Sub folders can be dangerous and you'd hate to lose your primary site because of some sandbox you built to play in. If able, isolate your document root to a folder or drive with nothing of value. Don't forget - some times web development isn't about what your provide, sometimes it's about what you don't.
Tip #5 - Shut off non-essential listen ports on your web site.
Shut down telnet, ftp, finger, and any ports you are running that aren't absolutely essential. Do a netstat -an | grep -i "listen" on unix, or netstat -an | find "LISTEN" on windows to find what ports your web server is listening on and try to shut it down.