6
A followup, my examples are pretty generic, there are more specific settings that are more secure. The best performance and security is to put everything in httpd.conf and php.ini without allowing any more access than actually needed. That can be a pain but after getting a stable server you can migrate .htaccess settings to httpd.conf and then turn off .htaccess access.
Here is a little added security I do on mine. I disallow access to the mainfile.php file in httpd.conf (can also be in .htaccess):
<Files ~ "mainfile.php">
Order allow,deny
Deny from all
</Files>
This causes a 404 error if called from the browser. XOOPS has no trouble since it is called from the filesystem. mainfile.php won't normally parse in a browser but if your PHP were to die you'll get the full text and that isn't good.
You can also set read-only and owned by the server user (chmod 400) so that nobody else can even view the file should they get access by other than root. Again it is a small pain to switch to root long enough to make changes but that is rare. Call me paranoid....