you can start by doing the following
- check $_GET/$_POST variables that write to a database by inserting or ' in any input that records to the database.
If you get SQL error, your application is not secure.
- Make sure php, OS, and everything else that you are using is always updated
- Make sure you have a firewall installed and it is up to date
- If possible, disable ftp port entirely if you're on and switch to sftp.
- Rename any admin directory from "admin" to something a not so familiar with some numbers and letter