I enact all of those except samhain whenever I can (thanks much for that tip ... I will investigate.
samhain runs as a daemon and continually watches over certain directories and is highly configurable into types of watching. Some files can grow (e.g., log files) other files should not change (like sshd executable, for instance. You can configure it to write a write-only log to a remote database so that even a local compromise cannot conceal activity or alter your log file. You can configure it to send an email when something happens.
I was under the mistaken impression on one of our boxen that FTPD was tcp-wrapped. It wasn't :-(
It's now turned off ... SCP/SFTP don't need it (only SSH).
You can configure FireFTP (firefox plugin) to use certs for SFTP access. There are probably other sftp clients, but I don't know them. I do most of my work via SSH or via SVN/GIT. Version control is also a good way to maintain the integrity of your source. If your server gets compromised, you might be able to completely wipe your PHP source and re-deploy it from your repository. Beats the hell out of searching all your source code for exploits.
I do wrap and/or firewall off all access to most of our boxen from the 'Net at large.
I couldn't claim to be any sort of firewall expert, but iptables is awesome (and required by fail2ban). It's also one step better than a firewall inasmuch as it is on the machine handling the traffice and thereby protects against traffic inside your firewall too. The downside is that you can easily lock your own bad self out of the server if you aren't careful.
I use public-key myself; I need to do the re-education of the rest of the shop, I guess. As no one else here is a programmer type, I'm thinking it may be an uphill battle.
Depending on what FTP client they may have gotten accustomed to, this can be easy or hard. Generating the keys can be just a matter of a couple of terminal commands on a max or *nix or just downloading putty and putty gen for windows. I find that it really really helps to do a step-by-step recording of the steps using camtasia or some other screen capture program.
I'll also reiterate that Amazon EC2 is pretty darn awesome if your system has been compromised. You can make a freeze-dried image of your production server when you feel like it's running well. If it gets compromised, you can just throw it away and fire up a new one from the image.