Looks pretty good to me.
The two on there that most people 'forget' about are the recording of errors (specifically auditing ones like failing to login), and the moving of anything unpublished outside of the public_html (or whatever your published directory is).
One thing to note, I don't think .htaccess would have any affect outside of a published directory though. This shouldn't really be a problem, Apache itself has a directive to deny reading on .ht* files, and I believe it is configured by default.
As of PHP 5.5, the MySQL library has been officially deprecated. It is recommended to move to either MySQLi or PDO libraries for your mysql connectivity. See here for help choosing which interface you prefer: http://php.net/manual/en/mysqlinfo.api.choosing.php