Below are things to do to secure your web application
Database user user for the system can only has access to insert, select, update, delete. Not other datase utilities like drop, create etc.
Use recaptcha if wrong login attempt exceeds x times
Never display id on url, use hashed id instead – checkout hashids.org
Always check a user can’t view, access or update any data not belong to him/her. Especially on multi-tenant system
Force at least 8 character length for user password. Better to include numbers, capital letters and special symbols
Make the 2-FA (2 factor authentication) available for user to choose
Always use production-standard settings. Not development-standard settings. For example, never display detail errors to the users such as sql error that show table and fields.
Give developers/admins different username and access to what they can only do