Recently, I am looking a theme and found few thing which are not good practice for drupal. Thats why I am writing this, If you found something wrong then please correct me.
1. Custom Error page:- Most for us forgot to update error page and we do not even bother to change it according to theme. So, I suggest to change error page according to custom theme. you can find it at http://siteofwebsite/admin/settings/error-reporting
2. Directory Structure:- Most developer do not use correct directory system. So, if you are developing your theme and module then use only /site/all folder for development anything else is for drupal core team.
3. Login System:- In most of case we do not need to modify our login system. But for those require to update login system then use LoginToBoggan instead of re-writing drupal code.
4. WYSIWYG Editor:- Using WYSIWYG Editor is better option then using plain text. We can use CKEDITOR or WYSIWYG or IMCE if you need to upload files then you can include file manager like ckfinder, kcfinder
5. OPTIMIZE Database:- if your website is large and have lot of data then it will be better to use database maintaner. It will help administrator to optimize tables.
6. Turning off modules:- Turn off all un-used modules. This will help in site speedup.
7. Backup website:- It would be better option to take complete backup of database and files.
8. Eyes on Spammer: Always, put your eyes on spammer. Never let them go, install Flag Abuse module and always flag them.
9. White Screen:- Sometime user or developer or admin get “white screen of death” or complete white screen content goes of no error no warning which is really difficult to understand. for that you can solution here.
10. PHP code:- In some cases, You may require php code in content then use it. It is totally safe and feature of drupal. This is developed for you. just you have to put eyes on the user you are allowing access for php code.
You can get more tips https://www.drupal.org/node/431846