It appears to me that there are those who attempt to hack known 3rd party apps - for a while I kept having all kinds of 404s looking for stuff I didn't even have like phpauction and wordpress and the like.

My server logs indicate that these happen very quickly - I'd have several hits within a couple of seconds - so I doubt that the "successful" hacker does anything manually, instead employing automation for at least the first 'phase'.

From all the posts I've seen here about the various form hijacking attempts, I surmise that another intent to hacking a site is to find sources for doing mass emails.

I very much doubt that having tidy html will have any impact since I don't think they look at the stuff with their eyes and I doubt that they teach their automation tools to look for carriage returns. I imagine they're looking for form tags.

I really don't know what impact hiding/exposing php has. I would have to think that a hacker would look for form tags and then see if there's a way of exploiting the form regardless of what the script language appears to [not] be - if there's a form then there must be some sort of processing going on afterward.

I've had dozens of attempts on my phpbb forum and I've had probes for other apps, but I've not, to my knowledge, had any attempts on any of my own scripts - definitely none that were successful. My guess would be that without known holes to exploit they know it would take too much time, and there's just too many other vulnerable sites to explore.

I've also gone to the trouble to add whitespace and carriage returns to my while query output to keep the source code looking as static as possible.

Making it 'look static'? To a human? I would have thought the only reasons to add additional whitespace/CRs is if you are trying to debug the output or you expect people to view the source and wish to show how neat and tidy your code is - no bad thing? But it's not going to 'run' any neater and could well add some page weight as you say.