I would say best practices for ColdFusion are similar to those for programming web applications in any language.
I recently read Essential PHP Security Chris Shiflett and the majority of issues discussed affect ColdFusion as well, though the syntax for dealing with them may be slightly different. I expect there are other (possibly better) language agnostic books which contain principles which can easily be altered for use in ColdFusion.
Obfuscating what technology you're using is no substitute for securing your application and its infrastructure. Hiding the PHP file extension should be one detailed item in a list of many steps you should take to secure your code and server.
Entire books are written on PHP security topics. Here's a good one to start with: