Okay, I had a think about things and a potential security enhancement is to put the following into a .htaccess file in the /cache and /templates_c directories:
<Limit GET>
order deny,allow
deny from all
#allow from .my.domain
</Limit>
<Limit POST>
order deny,allow
deny from all
#allow from .my.domain
</Limit>
This will prevent anyone from loading any file from those dirs in their browser, if they know the file name, and also submitting via POST. This should (in theory) stop a script kiddie from using a script if they manage to upload it to those directories.
Obviously, it won't stop them if they know to look for the .htaccess file and are able delete/alter it, but it is an extra layer.
It would be better if you are able to put it in the virtualhost directive for your site in httpd.conf, for example
<virtualhost>
# other stuff here
<directory "/path/to/cache">
<Limit GET>
order deny,allow
deny from all
#allow from .my.domain
</Limit>
<Limit POST>
order deny,allow
deny from all
#allow from .my.domain
</Limit>
</directory>
<directory "/path/to/templates_c">
<Limit GET>
order deny,allow
deny from all
#allow from .my.domain
</Limit>
<Limit POST>
order deny,allow
deny from all
#allow from .my.domain
</Limit>
</directory>
</virtualhost>
Comments?