Another trick I have been using, Keeping "dev" site physically separate from "live" so I can have a release procedure between the two.
First, with regards to plugins or public libraries:
The "dev" site uses "local source" versions of all the external (public) packages or libraries I use that need to be modified or extended for the project. I actually forked them to my own repo. Having the repos checked out to run as source means they get their own folder in my home folder, instead of "site-packages". And Python "runs" it from my home folder so any changes are detected and included. This allows me to change and test the changes in the "full site" in safety. I use Django's user access control to keep it private.
The "live" site uses standard installs from the head revision of the libraries I forked. So, back on dev I only check in changes after they are cleared for live use. But the live server won't use those changes until I update (re-install) these libraries.
For data security, while my dev and live db schemas are identical (I use South), I made a "safe" fixture of data for the dev server that does not contain only fake data. As testing progresses I occasionally update that fixture with exports of additional fake data added to the system for testing. It takes a surprising large amount of work to generate useful fake data - very tempting to just copy "real" stuff. But no, that would be a huge security and ethical no-no.
The actual project code is managed with Subversion (part of a TRAC project). There are clever CMS features I have not figured out yet. I just check-in the "dev" and "live" servers to different branches. Then use Beyond Compare to review changes between the two trees. Most files are identical. Settings.py, and dashboard.py have to be different. I could just copy all the other files over, but I like to check what changes were made to avoid copying over any "experimental" or "not working yet" changes. Plus since we are an Agile shop, I need to note which stories are affected/resolved by each change. Not to mention requirements coverage reports.....