First thing is to change all your passwords on the server (including FTP users), making sure you use "strong" passwords for the new ones.
Any directory that does not need to have files written to it by your PHP scripts should have its permissions set so that only the owner (you) has write permission. The corollary is to try to avoid having any sensitive scripts in world-writable directories. (So in other words, make a separate directory for things like file uploads, and leave all your script/include directories read-only for the world.)
Review all your scripts for anywhere that you use user inputs to select files that get included (or worse, executed). If you have control of your PHP settings via php.ini or .htaccess, at the very least turn off allow_url_include, and consider turning off allow_url_fopen if you don't need it.
Review your Apache access logs if you have access to them, and look for things where the URL includes external URLs in the query string, or "../../" type of directory strings trying to move up the directory tree and read something on the server. These may point you toward a script that someone has found a hole in.