Application hardening

Securing the Server
The server itself should be secured. This usually means hardening the server and ensuring that the server uses a firewall.
Hardening the server
Typically this means hardening the operating system by uninstalling unnecessary services. For example, there’s typically no reason to run a print server on the same server that runs the public website.

Disabling and uninstalling unnecessary services reduces the footprint of the server, which means that there are fewer things for an attacker to exploit. Tools like SELinux and grSecurity also enhance the security of a server and reduce the ability of successful attackers from compromising more than
their own little sandboxes.

Using a firewall
Whether you use a firewall on the server itself or use a firewall at the point
where the Internet meets your network, or both, you should make sure that
there’s a firewall blocking connections to all ports except those specifically
allowed, such as TCP ports 80 and 443 for a typical web server.
A better scenario is to run the firewall both at the ingress point (the point
where the Internet meets your network) and on the server itself. Doing so
means that the web server will be protected even if an attacker finds another
way into the network.
All major operating systems include built-in firewall tools and they’re both
easy to set up and easy to maintain.
Securing Apache
Securing the Apache web server is a pretty broad topic, so rather than try to
fit everything into one section, we focus on two ways to make Apache more
secure when it’s running PHP applications: using SuExec and mod_security.
If you’re using a third-party hosting provider, then you won’t be able to
install SuExec or mod_security but rather will rely on the hosting provider
for (and let them worry about) server security.
Securing PHP applications with SuExec
If your application runs on Apache (as more than half the websites on the
Internet do), you may want to consider enabling SuExec in your Apache con-
figuration. SuExec is a mechanism that is bundled with Apache that causes
scripts to be run as the user that owns the script, rather than running them
as the web server user.
In a non-SuExec environment, all scripts are run as the same user ID as the
web server itself. Unfortunately, one vulnerable script can give a malicious
user back-door access to the entire web server, including scripts running on
other sites hosted on the same server.
PHP, MySQL, JavaScript & HTML5 - Steven Suehring, Janet Valade