- the first step would be to validate input. Kirby has a lot of built-in validators you can use. You can also use regex and create your own validators. That way you can prevent unwanted input in the first place.
- you can - and maybe should - escape all field content, you can also do this with kirbytext, if you call
esc()before calling kirbytext:$page->text()->esc()->kt(); - you should definitely secure your server and not allow simple FTP or weak passwords
- placing all important folders outside the web root adds another level of security (usually not possible on shared hosting, though.
- regular backups are always a must, version control helps as well and is easy with a file based CMS where you don’t have to deal with a database
See also: https://getkirby.com/docs/guide/security