Best practice to hide/secure the php-engine config file?

Question

I just got a task to work on an old-styled-developed webpage.

It means, the common used variables / constants and variables of database connection are in the viewing php-engine, not in a separated file. :-(

I thought I will put them into a config.php or config.inc file, and just using with require_once('/path/filename'); in the engine.

My problem is , that I am not familiar with the securing, so I thought, I change the privileges (maybe 755?).

Is there anything else I could do?

Answer 1

Move the config file outside the public folder so it cannot be accessed via URL. Otherwise, a misconfiguration in your webserver might send the file unparsed (someone might forget to tell the webserver that .inc files should be run through php. I never name them .inc for that reason. Always .php). It's rare but I had this happen at least two times on sites I visited and they had credentials in their files, too.