1. Do not host your wallet or private keys on your webserver, just addresses.
2.
DO NOT HOST YOUR WALLET OR PRIVATE KEYS ON YOUR WEBSERVER, JUST ADDRESSES.3. Generate your address + private keys offline / remotely, i.e. on a different physical location than your webserver. Thus allowing your webserver to retrieve new addresses as needed, without exposing access to your private keys anywhere.
4. Use a new address for each payment/order. This way you can always check if a specific payment has been made or a specific order has been paid. With one address per account, you cannot clearly distinguish between payments for different orders.
5. Instead of generating private keys + addresses on the fly, you could pregenerate a few thousand addresses / private key pairs, and backup those. Backup again whenever creating (and before using) new keys + addresses and increase volume as needed.
6. On the webserver end, just backup your order/payment/account database just like you would now. Before or after receiving doesn't matter, that is already backed up in the blockchain
![Smiley](https://bitcointalk.org/Smileys/default/smiley.gif)
And before or after sending fund does not apply here, as per rules 1 and 2.