Actually it doesn't really matter wether you include HTML or you just write it manually in the script.
But be aware that when you either write or include things in the script such as databaseconfig or variableconfig. If due to a error, the server doesn't process the php scripts, they will be shown as regular html and then people will be able to read the php (including all the variables). They can then be able to use that to for example copy/adjust your database or get access to secure parts of the website.
To sum it up:
It doesn't matter if wether you include or write the <head>, <html> and <!DOCTYPE> tags in a php file. I recommend you always include configs that are either hidden from the user with .htacces or that are located above the webroot.
If your server is the production/live server the most key things you have to do is disabling error reporting in PHP (display_errors in php.ini should be set to off) and disabling directory browsing in Apache described here and here
I don't know what else server side. Not my strong point. But if you're using a framework like Zend or CakePHP you can move your source files off the www-root so that they aren't accessible from the outside. Nothing else comes to mind.