PHP Security

Config.php

Don't place the config file in web root

If your web root is ~/public_html/, place the file in another folder: ~/app/config.php this way if php fails for some reason and starts spitting out your code in plain text, they won't be able to get to your file.

Protect with htaccess

Sometimes in shared hosting you don't really have that option so you can create a folder in your web root ~/public_html/app and then create a file ~/public_html/app/.htaccess and insert

deny from all

into the file. If somebody now tries to access your file from the browser they will get an access denied so it can't be run directly. Even if php fails apache will stop them. And if apache is down they likely won't be able to access the file anyway.

chmod your config file

This will vary greatly depending on your PHP handler. With PHP you can probably get away with removing read/write access to everyone except for the owner since PHP is running as that user. If Apache needs access to your files, then you will need to grant read access to group, etc.

You can also remove execute permissions on the parent directory so if somebody did get in they couldn't get directory listings and find the filename.

chmod 400 filename

You must understand the meaning of XYZ chmod from file attribute.

X = Owner

Y = Group

Z = Everyone/World

If you set to XY4 then you give Everyone a "read" access! (even the content inside a php file can not read by a browser, but still readable by using ssh, ftp or file browser).

Since settings.php must be only read by your system then you must set to 440 or better 400 (if possible). Gives 440 to a file will protect everyone (except owner and group) to read this file using any access types.