Re: The best security ?
I wanted to add mod_chroot as an option as well for a layered security approach. If the webserver is compromised the system won't be if there's a properly chrooted environment.
One thing to note, PHP's mail() function depends on sendmail and/or other binary. The system() and other shell functions depend on a working shell. I statically compiled mini_sendmail for the chrooted environment. I also use busybox-static from the repo's hardlinked into the chrooted environment.