Protect secret configuration file

Not much to do. You can protect from external access with traditional means and protect the entire server so you don’t have improper access but someone being on the server makes it difficult to protect this information.

Some will say to encrypt the file or at least the sensitive data. But with server access the decrypted data or decryption form is also available.

If the intention is to protect from external access can put the file outside the area of the website in a separate directory probably in a hierarchy below. This will make enough.

If your website is in /http/public, can put in /http.

If you cannot do this, you can configure the .htaccess with:

<files config.php>
order allow,deny
deny from all
</files>

Another obvious way is to limit access with permissions chmod. Never put 777, probably a 400 will be enough. But this alone is not enough.

If these passwords are necessary for the functioning of the system, then they must be available in original format (or equivalent) to that system, either on disk or in memory. 100% protection therefore is impossible, but you can take some measures to limit your access.

First, make a list of who you are trusting and who you don’t trust:

• Who has physical access to the server, who has the root password, and who accesses the account that owns (Owner) of that settings file, on those you need to trust - there is nothing you can do to disable their access to the file;
• If you don’t trust other server users, protect the file with chmod is a means of limiting your access (this is a good thing to be done anyway). I suggest 600 - the owner can read and write, the group and the others can do nothing.
• If you trust operators but want to avoid their access accidental to the data (eg: they opened to solve a problem, and ended up seeing the password), it is convenient to encode them in some way, for example in Base64.
• In all cases, keep this file inaccessible via internet - be it outside the root of your website/application, be protected with access controls (ex.: .htaccess).

Finally, an option for more "paranoid" cases (it may be necessary in case of extremely confidential data, but most of the time it is exaggeration) is to encrypt this sensitive data, requiring a password for its decryption. Thus, by giving the boot in the system, the operator would enter this password, which would decipher the other data and save them in memory only - and preferably in a memory region that does not suffer swap. The obvious drawback of this approach is that if the server needs to be restarted the password will have to be provided again - causing loss of availability if the authorized operator is not present.

A middle ground would be to use a hardware module to do this decryption, so that the trust requirements boil down to who has physical access to the machine (i.e. neither the root could decipher the confidential data). However remains the possibility of the user root use one process to read another’s memory, but I can’t say how feasible/likely that scenario is.

One of the ways you can use to block access to this file would be through a rule via file .htaccess, specifying the file in the directive <Files>:

<Files "config.php">
  Order Allow,Deny
  Deny from all
</Files>

If you need to do the same with other files, you can use the directive <FilesMatch>, she does the same thing <Files>, but accepts regular expressions.

<FilesMatch "config\.php|function\.php|include\.php">
  Order allow,deny
  Deny from all
</FilesMatch>