Here are a few things to do.
- First and most important keep your server software updated and patched. Especially old PHP and kernels which can be insecure. A couple links with lots of info: Website security precautions, and Secure settings for PHP on Apache.
- It's very important that you (if you manage your own web hosting server) or your web host enable open_basedir. In a shared hosting environment without open_basedir, an attacker has the ability to exploit a vulnerability.
- Enable disable_functions (A disabled_function list below for a good setup)
- Suhosin will further harden your PHP installation.
- Close unneeded open ports.
- Maintain access logs. Depending on the size of your site these can quickly grow in size, but they can be very useful in identifying any access points.
- Disable direct root login, and change the default ssh port.
- Secure passwords, limit access
- Disable allow_url_fopen in php (recommended in the securing PHP link above).
- If an attack happens, preserve the time stamps of the files affected (ie: using cp -p before deleting the files).
- Disable world writable permissions (777) for directories. As a general rule, chmod 755 for directories, 644 for files.
- mod_security
- Firewall, brute force protection, email notification when someone logs in as root.
- Backup, backup and backup again also maintain off-site backups.
- Cloudflare? Clouflare blocks IP addresses, and many Asian countries share IPs (as do dial-up users). Many false positives if you have visitors from these areas, but worthy for high-risk sites.
- A security diligent host or server admin can be amazing.
Disabled_function List
disable_functions = escapeshellarg,escapeshellcmd,exec,ini_alter,parse_ini_file,passthru,pcntl_exec,popen,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate