Your first port of call should be to the web host to see what they do to protect your site. Then you need to ensure that you have not opened yourself up tot the usual things like SQL injection etc. You could pay out several thousand dollars for a penetration test but, unless you are building a commercial site and security is a big issue (e.g. users logging on and/or spending money) then you probably don't need to do that. There are many other things you can look at and do (I've barley scratched the surface) and there some really good articles here on security - you should search for and read them all.
Also read
this[
^] - might find it helpful.