phpBB has an outstanding record for security, that said nothing is perfect. The best thing you can do is make sure to keep up with updates as they often have have security updates.
Beyond that most things you can do are server related, security of any site/server is layered. For example one simple thing you can do is put a .htaccess password on the adm folder. It adds another step for someone to get into the ACP.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”