Virtually every site or web application should consider the following:

• Multilingual capable - even if the content is not immediately available in other languages. Retrofitting translation into a site is extremely costly.
• Common components - any code that will execute in more than one place should be shared through includes or other mechanisms.
• Hierarchical templates - this provides a more consistent interface and more efficient code. Templates must be general enough to support this.
• Appropriate user assistance - help, at both the field and page level
• List of browsers supported - you can’t support every browser. Identify those you will.
• Graceful error handling - don’t just issue a print or echo and die
• Security - close the windows and doors into your application. Ensure error handling prevents disclosure of code and database elements
• Configuration - database access constants should be sourced from a single point, as should all other configuration directives. This ensures all elements of the application, including backend/offline scripts. Otherwise, the constants can’t be changed without risking the integrity of the system.
• Server configuration - prevent access to areas the site visitor should not see at the server level.
• Multi-mode deployment - only put the code required on the server. Set up the distribution/installation process accordingly.
• Use mod_security.
• Let the web server be the only reader of script files. This makes it more difficult for hackers to get to the web code.
• Use robots.txt and meta tags to keep things out of search engines unless necessary.
• Change off port 22 for SSH, or close it entirely from public access
• Enforce these practices across the entire team, and audit for them during development