Not too long ago, I had one of the sites that I manage quite badly hacked. It turned out that the uploaded code for one of the hosted websites had already been compromised, so lesson 2) is most certainly to vet uploaded code much more thoroughly on initiation! However, I've now taken the approach that I'll run as crippled a version of PHP as I can get away with. In most cases, this means that you can modify php.ini to disable the following:

allow_url_fopen = Off
allow_url_include = Off
disable_functions = system, shell_exec, passthru, exec, \
   popen, proc_open

This stops the direct opening or inclusion of remote php files, and disables access to a number of system functions on the local server. It's worked OK so far...!