Here's some thoughts:
Security
You'll be getting a lot more attention from potential hackers with a larger userbase, but otherwise your security concerns should be much the same, for the most part (just that the chances and consequences of someone finding and exploiting a security flaw are much higher).
I don't know how much you already know about Codeigniter, but it has a number of security features built in. There's also the general security stuff you'd want for any site.
- Consider enabling CI's cross-site scripting protection
- Consider using CI's Database Sessions
- Use CI's Active Record DB class properly to avoid MySQL injection vulnerabilities
- Ensure you are hashing and salting passwords (per user salts are good, also ensure your hashing algorithm is secure - ie, not MD5)
- Also ensure anything else confidential is encrypted in some way or another - Codeigniter has a library for this, which is decent provided you have mcrypt support on your server
- Ensure user input is being filtered to prevent XSS (cross site scripting) attacks. Codeigniter has a feature to attempt to filter these out, however it isn't implemented amazingly well
- Make sure that permissions checks are watertight, so that there is no way a user can access information that doesn't belong to them
- Implement some kind of login attempts per hour per ip restriction
Performance
I don't have any hard cold numbers to give you here, but definitely look at ensuring all appropriate fields are indexed, as table scans can get really slow with larger row counts.
Avoid overnormalising your data - Sometimes it can be better to store the same data in multiple places. You then incur a performance hit updating the data, but potentially save time on joins when reading the data.
If there is ever the opportunity to use database triggers, go for it - Its much faster than having your web app send several queries to the db to accomplish the same thing.
If you segregate the free trial accounts into another DB, it would help keep the "real customer data" seperate from the trial data (and makes it easier to say, only perofrm automated backups on non-trial data). From an infrastructure standpoint, it would also make it easier if down the line you wanted to move the free trial and regular services onto seperate systems.
Don't have too many databases though, remember that every time you push an update, you're going to need to ensure that every database schema is up to date and happy. If you have hundreds of client databases, any kind of non-automated administration on them could easily turn into a nightmare.