Remember .php is executing in the PHP application stack on the server. It may have access to do more than just a user browsing the web site.
These are my suggestions (not a complete list) for PHP on Apache with limited server access. Hopefully this will get you started in the right direction...
Sanitise Database Calls
When reading and writing to a database sanitise your input especially if you are requiring input from a user. Also be wary about building SQL statements on the fly with user supplied input. Allowing a ‘ or a “ or any number of other character in input could allow a user to inject their own commands to say query the user table. If possible, restrict user input a-z,A-Z,0-9 as this is generally safe.
Here is good stuff that you should know about if you are going to write PHP for your web site.
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Apache .htaccess files
Also, you can apply some good lock downs to your .htaccess file to prevent unwanted or miss use of you web site files.
http://httpd.apache.org/docs/2.2/howto/htaccess.html
You should limit file permissions to .htaccess were possible by setting something like 644 (rw-r--r--). But for an additional layer also put the following in your .htaccess file for the root of your website.
# Prevent access to .htaccess from web.
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>
Limit Permissions
Limit permissions to what you really need. For example if you don't need execute on php.ini don't grant it (it should probably be set to 600). If you are unsure, start with a low permission level and work your way up. It won't take long to try and you will save yourself the headache latter.
Also be careful with execute on image files and files that obviously should not be executed. If someone can use images embedded in your pages to execute code they will if you let them.
If you require access to write a directory like uploads then block access to files that are not required. For example if you have a PDF or image upload directory .php files probably would not be required, so block it.
<FilesMatch "\.(htaccess|ini|sh|php)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Better yet, block any files types except the files you need.
Order Allow,Deny
Deny from all
<FilesMatch "\.(jpg|gif)$">
Order Deny,Allow
Allow from all
</FilesMatch>
Disable Directory Browsing
If not required disable it. Giving people access to see what files you have may give them information to attack you better. You could disable it via a .htaccess file in the specifc directory or at the root of your site by using something like this.
# Disable directory browsing
Options All -Indexes
Third-party Scripts and Applications
If you use third-party scripts, includes or applications in your website make sure they are from a reputable source and keep them up-to-date. Join mailing lists if required to make sure you know when a new release comes out. A lot of automated attacks against web application using PHP and other scripting languages use well known vulnerabilities that have been previously fixed.