2: if the administrator of my vps, or a hacker hacked in my vps, he got the access of all my files, he saw my source code with the password, then he can steal all my coins with the password right? any other ways to improve the protection of such accidents? (because there are always new vulnerables found, for apache, for linux etc..)
If you're going to run a service which needs to be able to send transactions by itself, my only advice it so only run it on hardware you own, or pay the hosting company for the level of protection you need. At least, for now. When multisig transaction become commonplace, other solutions may be possible.
If you're just going to receive transactions, pre-generate 1000 addresses and put them on the webserver, but run no live bitcoind there.
3: how can i know about the translation fee before send bitcoins? ie, if a client has 15btcs in his account, and he send 15btcs out, how can i know how much is the fee of this translation before process it? because it might be free, it might be 0.01btc, it might be 1btc, i need to calculate the amount available before process his request. btw, i don't really get the definition of translation fee, is that obligatory or voluntary? if you pay, your request get faster process by btc network,if not, your request will still be processed, but just slower, right?
That's currently hard: you can set the voluntary fee to 0, but bitcoind will always add a fee if it considers it absolutely necessary (too small outputs, too young/small inputs, too large, ...). This is usually very small, but whether it is necessary can depend on random factors (the input coin selection is random, so the fee requirement may or may not be there, though it rarely has much influence.