I use the OWASP top 10 (as updated in 2017) as a framework to take a look at security best practices to keep your site safe and take the perspective of an attacker to understand exploits.