File and Folder Access Check - Checking if configuration.php is outside of public html
There are several ways to protect such sensible files from public access, but most of them are not as feasible. A good way to protect your configuration.php file is to simply move it to a non-public folder. However, note that this isn't a simple copy and paste operation, certain modifications have to be made. Below we will provide step by step instructions on how to achieve this.
Step 1 : Move configuration.php to a safe directory outside of public_html.
Step 2: You will have to modify the /includes/defines.php and /administrator/includes/defines.php files, more precisely, this constant:
define( 'JPATH_CONFIGURATION', JPATH_ROOT );
If, for example you wish to move the file up one level and into a folder named "test" the constant will look like this:
define('JPATH_CONFIGURATION', JPATH_ROOT . DIRECTORY_SEPARATOR .'..'. DIRECTORY_SEPARATOR . 'test');
Step 3: Make sure the configuration.php is not writable at all, so that it can not be overridden by com_config.
Step 4: If you need to change configuration settings, do it manually in the relocated configuration.php.
Using this method, even if the web-server somehow delivers the contents of PHP files, for example due to a misconfiguration, nobody can see the contents of the real configuration file. Having into consideration the downside if not being able adjust the global settings it is still a good method of protecting against malicious attacks.