Hello. I would like to share with you my knowledge about how you should secure your website so that no unpleasant incidents occur nowadays people more and more often forget about it or postpone it for later or simply do not know how to do it here I will give you some tips what can help in most cases.
1.) It may be controversial for some, but not using PHP is one of the best solutions is to switch to Express frameworks as they are much better protected against SQL Injection and XSS and many other things.
2.) Securing login/registration from bots is a good solution because it avoids possible lagging of the site by a huge number of bots and clogging the database with fake users. The best way to do this is to add ReCaptcha or HCaptcha because it costs nothing and protects your site quite well against such cases, of course there are also sites like 2Captcha which sell services solving captcha for you cheaply but it is still worth adding captcha because some "bots" will be discouraged by the fact that they have to pay for it to be able to do anything else.
3.) Improve site logs to show suspicious activity even for trivial things so that you can react quickly if someone finds a vulnerability on your site.
4.) Secure your database as well as all admin pages as well as possible and use passwords of at least 16 characters with special characters because someone may try to hack using BruteForce although it is not very popular nowadays it is still a threat to many sites even hosting companies that provide access to the database via their website often generate such a weak password that it is possible to hack into almost any database which usually leads to leaks
5.) Scan the website regularly with your own hands, even with free tools from the net, for vulnerabilities so that no one does it before you and finds something you should not.
6.) Regularly delete old unused endpoints as they can also lead to many different problems depending on what the endpoint was doing and how secure it was
7.) Make sure that the user session is secure in terms of e.g. not having a cookie which is so badly done that changing it properly can even lead to connecting as another user and using his account without restrictions.
8.) Use sites that can help with security to detect if a user has a VPN or Proxy or TOR and block them if necessary or just keep an eye on them.
There are many other ways, but I have listed the ones I come across most often on websites, it may be useful to someone.