Honestly the biggest one: never run a destructive command without knowing exactly what it touches. Stuff like rm -rf, dd, mkfs, or anything with a wildcard. Double check the path before you hit enter, and if you’re not sure, don’t run it on prod first.
Related reading:
In addition to that, always, always, have backups and should be tested backups. A backup you’ve never restored from is just a hope, not a backup. 
Don’t make config changes without saving the original first, don’t edit a service config and restart blindly without checking the syntax, and never work directly as root when you can use sudo. Working as root all day is how a typo turns into a disaster.
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.$(date +%F)
That gives you something like nginx.conf.2026-05-22. If you want the timestamp, then:
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.$(date +%F_%H%M%S)
And when you do change something on a remote box this is firewall or SSH config related, keep a second SSH session open or have console/alternate access. Locking yourself out of a server you can’t physically reach is not fun!