Just to go back to something that was stated incorrectly.
passwords for database or anything else never should be kept in a public directory of a website, nor is there any reason to.
Passwords should be kept above the htdocs directory to that it is not open to public access. It’s much easier for a hacker to find a way to grab files/code off your live website directories than in those above. Make life harder for them.
Having spent sometime ferretting out an inside sabotuer, then preventing his outside hacks, we’ve learn a few things about vulnerabilities.
in most cases if you are running wordpress, you can find your password wp-config.php at the top, cut the lines, replace with
include “../dblogins.php”
Then put those lines in a file called dblogins.php or something similar, in a directory, above your homepage, where you can’t connect to it. Test to make sure permissions on the new file aren’t crashing the site. if everything works, your DB passwords are much more secure and you’re down, until the next update of the wp-config.php file.