Since my site got hacked, I have been looking at various methods of obtaining information and violating security measures. One that stands out to me that I have not seen mentioned anywhere is how to protect the config.php file.

This file contains the login information for mysql on the server, but resides in a publicly accessible folder. I am thinking that I missed something somewhere on how to secure this file, but I have spent hours looking for it to no avail.

I tried CHMODing the folder to remove public read permissions but it also makes it inaccessible to the other files (so it breaks the board).
I know on our previous site we just put the root login in there (I know, bad idea). But even now that we created a user with limited access to mysql to use, someone could still get ahold of that file and do bad things in mysql..right?

So how do I prevent someone from just downloading this file?

Sorry if this is an obvious question, I am a programmer, not a server admin. ;P..

They can visit the file but PHP will execute it and as there is no code it won't show anything to them.

What you really have to worry about is people with accounts on the server reading it. The problem is that apache usually runs as nobody which means you have to give permission for nobody to read the file so another user on the server can still read it.

But I was able to actually download the PHP file.
I just created a temp html file with a link to the config.php file. I opened the html file and right-clicked on the link and selected 'Save As' and saved the php file locally and was able to open it in a text editor and view the account info (login and password).
If a person just put thier root login info in that file, then there is no limit to the damage a person could do. I mean, the installation instructions seem to encourage you to just use the root login ('root' is already specified in the config.php file).
So, is there a way to prevent this file from being downloaded or should we specify an alternate user account instead and, if so, will getting access to the alternate mysql user info be a security risk?

[Edit - now that I think about it, it seems that the Apache webserver must be misconfigured to allow a PHP file to be downloaded. The public should only have access to the parsed file, right? /edit]

Are you sure Kyrnel? did you open the file and see?

I could try to save showthread.php from here, It would just spitout html output.