Very wide field, depending entirely on what you are doing. Some things to (possibly) do involves:
- caching
- minimizing database access and speeding up queries (related to the next item)
- minimizing file block access
- using built in php functions when they exist instead of coding your own functions in php that do the same thing.
- basic computer science: data structures and algorithms. If you for example solve a problem in O(n) you will come to a point where no other amount of optimizations will let that run quicker than solving the same problem in O(log n). Scaling becomes an issue.
- increasing hardware resources through load balancing etc.
- scaring away users 🙂
As for security, trust no input at all that wasn't specifically provided by you, commonly referred to as "user input". This doesn't have to be input actually provided by a person user, but might just as well come from any other external resource such as scraping a web page for information or a third party database.
Not trusting any input means taking safety precautions as necessary. Casting to integer if you expect input to be a number for example. Properly escaping anything supposed to be handled as a string, with functions like mysql_real_escape_string for storing it in a DB or htmlentities for presenting it on a web page.
Connect to any DB with no more access than you actually require on a general basis. If your users have no way of inserting data, just viewing it, the scripts' DB user should have only read access, and only on those tables it actually reads from.
Restriting access by setting open base dir, which is a web server configuration iirc. This way your scripts can't access anything higher up in the directory tree structure.
