Best way to go is develop with security in mind, that means keeping up with "best practices".
For any form of successful compromise, the attacker would be advised: "Use the sourcecode, Luke",so do not allow someone to intelligently poke into developer module accounts, as you may see 4 attempts per account, and they always will attack the account of your boss, as he may not be aware like you of user enumeration attacks. Go to the server application logs to know what is eventually going on.
Persistent attackers, always form a challenge. Be fully aware of the attack surface you leave open or haven't got available
(securely handled tokens, encrypt all your traffic, iFrame tags can lead to any form of exploit. Very bad, but also very commonly found).
On the subject of PHISHING. To protect your Webserver from infection, make sure you protect your root password:
Make sure you don't use it across unencrypted connections.
Make sure you don't allow direct root login over the network so nobody can perform online brute force and dictionary attack password cracking attempts. A previous article of mine can help secure your server against brute-force password cracking attempts.
Make sure your root password is strong — preferably at least 12 characters including capital and lower-case letters, numbers, special characters, and spaces.
Make sure your passwords use Blowfish instead of MD5 or DES.
To check whether your Webserver is infected, try creating a directory whose name starts with a numeral, with a command like:
mkdir 123
If it doesn't work, your system is probably infected.
(source info quote credits go to Tech Pro TechRepublic)
polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)