I'm quite fond of articles looking at security in PHP. They're easy to write and can, if you wish, be quite sensational. In fact I seem to be noticing such articles on quite a few blogs, including my own attempt
here.
Probably the best new article I've seen recently is
here at PHP Hacks. I'm going to skip over the majority of the article and head straight for predictability.
The author suggests it is to be avoided but in some instances I believe it is a good thing. In one project I'm currently working on (on and off) I do have a folder named 'admin', I even have a reference to it in my robots.txt file. I hope that anyone wishing to cause harm to my site will enter the folder and attempt to log in. Initially they'll be pleased to see that the errors supplied are very descriptive. Then eventually, if they are very determined, they might find the correct username/password combination and they'll be directed to a page with no content. No admin backend they can mess with just a dead end. My admin folder is a honey pot. It is a little tool designed to cause anyone wishing to cause harm to waste as much time as possible.
This idea relates back to the final point raised in the article . . .
Be Completely and Utterly Paranoid
If you assume your site will never come under attack, or face any problems of any sort, then when something eventually does go wrong, you will be in massive amounts of trouble. If, on the other hand, you assume every single visitor to your site is out to get you and you are permanently at war, you will help yourself to keep your site secure, and be prepared in case things should go wrong.
