Looks pretty good to me.
The two on there that most people 'forget' about are the recording of errors (specifically auditing ones like failing to login), and the moving of anything unpublished outside of the public_html (or whatever your published directory is).
One thing to note, I don't think .htaccess would have any affect outside of a published directory though. This shouldn't really be a problem, Apache itself has a directive to deny reading on .ht* files, and I believe it is configured by default.
header('HTTP/1.1 420 Enhance Your Calm');