You can start with the
OWASP Top Ten Web Application Security Risks. Once you've addressed those,
you should go to the vendors of any software you are using (OS, database, web server, application server, etc.) and sign up for their update and security notifications. Next, keep up with the updates and security patches. Security isn't something you set up and it just runs. You have to have a process. And take care of the small stuff: shut down unused daemons, use strong passwords, disable unused accounts and so on.
Now you can do all this and still get hacked, however, if your window is shut and your neighbor's window is open, hackers may just give up and go for the easy pickings. Also, you can take comfort in the fact that most security breaches are inside jobs.