The user the php runs as is the biggest issue imho.
mod_php generally executes all php code as the apache user the problem with this is that
often one user can access another users files (and through this their db credentials and
other secure stuff).
One way around this is to use suphp. This runs each users code as that user and as such
reduces the risk of the above security breach happening. The main downside is that suphp must
run with priviledge as it needs to setuid to the script owner and also a new process is
started for each php request which may break some opcode caching solutions.
Depends on the distribution... in a nutshell,
1. Edit /etc/apache2/conf.d/security (if debian/ubuntu), turn off/down ServerTokens and the
2. Tell PHP to not expose_php via /etc/php5/apache2/php.ini; check PHPs memory limits to make
sure they're sane.
3. Make sure you apt-get update / upgrade (or equivalent) often.