Here are a few points you should keep in mind while using WCF services:
Don't put proxies in a using statement.
Use the FaultExceptions class for handling service exceptions. You should use the FaultContracts class to return error information to the service consumers.
Use message logging to log service operations.
It is always preferable to use a per call instance model.
Use WCF tools, such as SvcUtil.exe, SvcConfigEditor.exe, and SvcTraceViewer.exe.
You should protect logfiles from unauthorized access, and the logfiles should not contain sensitive information.
Use a proper authentication mechanism to authenticate service consumers.
Use string passwords, and protect access to the credential store.
Use IIS to host your service, unless you would like to use a transport protocol that is not supported by IIS.
Validate input parameters on the server side, and don't rely on client-side validation only.
Define maintainable services and data contract versioning.
Define your namespaces clearly to avoid conflict.
Encrypt configuration sections that contain sensitive data.
You should manage binding and endpoint information through configuration, and not through code.
Define services in a class library, and not directly in a host project.
Include the FaultContract attribute in the service contract definition.
Use static proxy classes instead of the ChannelFactory class.
Use the Cache to store client proxies if you have to call service methods frequently.
Use X509 certificates instead of NTLM.
You should publish metadata only after securing the metadata exchange endpoint with transport or message-level security.
You should favor data contracts over serializable types.
Use WAS hosting wherever possible and IIS hosting for external HTTP-only services.