First of all, run it under it's own dedicated uid to minimise the damage if it does get compromised. Make it so that that uid doesn't have write access to any of the web space, including the files making up that web application. Stick a web application firewall in front of it, like mod_security for Apache. Always keep it patched up to date, including any plugins. Make sure you follow any relevant RSS based changelogs, blogs, mailing lists or Twitter streams etc so you're informed of any security problems.