Every website has backend to develop the site as well as to configure settings for the site. What if someone find that door to enter into your website. Your way to enter into web development can create bottleneck for your website.
Drupal has secure login to authenticate users still so many Drupal sites are compromised because of attacks like Bot and SQL injections. There are many things you can do to make your site safe. These measures should be taken at early stage development.
Common hack is to simply modify index.php file or any template file. Other than this Arbitrary code execution can be used to modify server file permissions as well as execute comment shell which can be later used to access server system. To prevent this you should always have to back-up your files and compare two in case of attack.
All Drupal modules execute scripts on your server. Check for your module permissions and always use trusted modules. Always allow access to limited authenticated users with right permissions. Update and delete unwanted sessions if your site user’s identity is at risk better to delete all sessions.
Menu router table is accessed at early stage of page request. Keep track of menu routing table for common signatures of an attack such as "file_put_contents" or "assert" in the access callback.
Keep updating your site with latest security updates.