This should be a basic rule known of all, but fact is that it is not...
 
The php config file containing the sql credential is one of the most sensitive file in your website, it has default permission : 644. Optimal and secure permission should be 400 if database is only accessed locally by your website...

This tip can be incompatible with some scripts/CMS