Create non-root users
This applies not only to web servers but to all operating system administration: Create and use non-root accounts for basic administrative and management tasks as another layer of defense in case an attacker obtains non-root credentials to the web server.