Thanks Jason,
Once the site is live all ftp & sftp/ssh will be disabled as they'll no longer be needed - so as long as the php code is safe (I did look at the live pages source code and it was fine, as you say).
The host will provide a full SSL using domain.com, not as a subdomain or specific folder.
And all the links are relative links.
So the only precaution would be to use .htaccess to prevent the secure pages from being viewed as non ssl. Or is that not necessary?
Many thanks for your response(s).