InformationThe user account under which Apache runs should not have a valid password, but should be locked.
As a defense-in-depth measure the Apache user account should be locked to prevent logins, and to prevent a user from su'ing to apache using the password. In general, there shouldn't be a need for anyone to have to su as apache, and when there is a need, then sudo should be used instead, which would not require the apache account password.
SolutionUse the passwd command to lock the apache account:
# passwd -l apache
The default user is daemon and the account is typically locked.