When hacking vulnerable web sites, hackers use PHP functions that allow program execution or disk access to get access to server.
Some most commonly used functions are exec, shell_exec and system. These commands allow hackers to execute program as web server user. Most applications may not need these functions, so these functions can be safely disabled with out affecting functionality of your web site.
To disable insecure functions, create a file php.ini with following content
disable_functions = "exec,passthru,shell_exec,system,proc_open,popen,parse_ini_file,show_source"
allow_url_fopen = Off
allow_url_include = Off
If you have dedicated server or VPS, you can disable these functions server wide by editing php.ini of your server.
Once change is made, make sure it is working properly by checking phpinfo page.