There are several ways to protect such sensible files from public access, but most of them are not as feasible. A good way to protect your configuration.php file is to simply move it to a non-public folder. However, note that this isn't a simple copy and paste operation, certain modifications have to be made. Below we will provide step by step instructions on how to achieve this.
Step 1 : Move configuration.php to a safe directory outside of public_html.
Step 2:
You will have to modify the /includes/defines.php and /administrator/includes/defines.php files, more precisely, this constant:
define( 'JPATH_CONFIGURATION', JPATH_ROOT );
If, for example you wish to move the file up one level and into a folder named "test" the constant will look like this:
define( 'JPATH_CONFIGURATION', JPATH_ROOT.DS.'..'.DS.'test' );
Step 3: Make sure the configuration.php is not writable at all, so that it can not be overridden by com_config.
Step 4: If you need to change configuration settings, do it manually in the relocated configuration.php.
Using this method, even if the Web server somehow delivers the contents of PHP files, for example due to a misconfiguration, nobody can see the contents of the real configuration file. Having into consideration the downside if not beeing able adjust the global settings it is still a good method of protecting against mallacious attacks.
