There is a number of things you can do to to protect your php based website. I'm not going to go into great detail of these as it would take too long, but I will give you basics for you to do some research on:
Firstly, ensure that display_errors is OFF on your production website as having this ON can give away details you don't want people to know. ON for development, OFF for production.
Secondly, protect yourself against nasty SQL injections using the PHP mysql_real_escape_string() function. Very simple to use and stops people from adding bits to your query window, like putting there name as Dave; drop clients; which could potentially drop the clients table if it exists.
Thirdly, do a bit of research of XSS (cross site scripting) to make sure you are secure from it.
Fourth, ensure that important site details, like config files and database strings and even text based database files are outside of the main site structure, which stops them being viewed via a browser. You can include them using the full file path.
Fifthly, investigate the allow_url_fopen and allow_url_include directives for the php.ini file and set accordingly. This can stop external scripts from overwriting or inserting into your webfiles.
to set another path for storing them. You can also store them in a database,
but then you will have to write your own handler using the function called
Several other things but that should protect you from most intrusions.