–> sanitize all POST/GET functions with html-entities & mysql_real_escape_string

Why html-entities? You only need them to display information in html format. Don’t use it while receiving and storing info.

Also: mysql_real_escape_string only works for text. If you want to receive, say, an integer, do this:

$myInt = (int)$_POST["whatever"];

–> if site is about to be online, TURN OFF, error reporting or customize it

Yes, use a log file to store them and look into it an a regular basis.

–> I don’t use cookies, only sessions (Because sessions are less vulnerable)

How do you relay the PHPSESSID without cookies? Not in url I hope. I guess you meant: I use only cookies to store PHPSESSID.

A security improvement: Make a new sessionid for each request.

–> turn off directory listing

Good.

–> make robot.txt to prevent indexing unwanted files

OK, but sensitive files shouldn’t be in the webroot anyway (eg, db credentials)

–> For passwords, use salt + Md5

md5 is weak. You might want to look into other ways for one-way encryption.

–> only make ADMIN site accessible from one PC and one browser by getting ip, and browse info, otherwise throw in 404 Error.

That is a good idea.

There is a lot more to add. Most has to do with your logic.

For example: If you have users with a userid, and postings with a postingid. You want to store postings in tblpostings, also storing the userid, so you know who wrote it.
Now, if you enable deletions of posts you must somehow check that the one who deletes the posting is also the owner.
These kind of things are hard to fit in simple general rules. Just pay attention when you write code. 🙂