User separation (read/write users for apache)
sing database views (or stored procedures for power DBAs?)
KNOW ALL YOUR LOGFILES & Locations
Gather baseline from logfiles
Inventory of the applications
(Version, modules installed, modules active, md5sums of the binaries)
Track unmaintained chaotic software from CPAN etc.
Don't just assume it's disabled.
Inventory of crucial libraries (what's the libjpeg version on all my webservers)