You must have, on any web-server or other service-providing system: A firewall.
You should have, if you can’t firewall port 22 (ssh), fail2ban or denyhosts.
If you’re running a shared webserver system (providing hosting for 2 or more different websites) you really should be running mod_security.
If you can’t put phpmyadmin behind a firewall or basic auth (customers, sigh) then do keep it upgraded. Of course, keeping things upgraded covers any off the shelf software, wordpress is just as bad - quite a few of them have got code injection/filesystem manipulation issues.
If you can, and you’re running a mod-php system, run the IPX version of apache, not mpm prefork. It allows you to get apache to make customer code executed as that customer’s user, which is a boon to tracking down which muppet didn’t upgrade wordpress this time.
Of course, there are a lot of other things you can do as well, fastCGI, nginx, and other more fancy things when you get up to MP’s sort of level 