How to secure an OpenBSD-based Apache webserver

If security is your concern, keep in mind that httpd in OpenBSD is chrooted by default, which means that in case of a potential compromise of your web server, the attacker will stay in the chroot jail of your webserver, isolated from the rest of your system, therefore minimizing the effects of the breach.

As far as mount options go, you could mount the partitions where binaries are not expected to be executed as noexec (for example, user /home directories). You could also consider enabling nosuid and nodev mount options where applicable. Check the mount manual page for more information.

You could also use a restricted shell such as rbash in conjunction with chroot jailing of daemons.

I use a structure like:

/var/www/sites/
/var/www/sites/project.com/
/var/www/sites/project.com/includes/
/var/www/sites/project.com/library/
/var/www/sites/project.com/www/
/var/www/sites/project.com/www/index.php

Where /var/www/sites/project.com/www/ is set as the virtual host's document root, and I use index.php to include files from library/ & includes/

This way I have organized my project to have the bulk of the PHP outside of apache's document root -- as you're looking to do. So that the server doesn't 'blat' the contents of PHP scripts, etc.

However -- if it's managed hosting, you're going to have to play within the box drawn by the host.

I'd say at the same level as public_html/ is a good place to put your directories with PHP files. The public_html/ is about equivalent to /var/www/sites/project.com/www/ in my example directory structure.

As to the nature of the php/ directory, maybe only your host knows. If it's empty, I'd say that they're encouraging you to use it.