Have to thank friesengeist of the Joomla core team for this very nice tip for your Joomla or Mambo site.
There has been a lot of discussion lately on further securing your Joomla or Mambo installations and what can be done. We do everything possible at the server level but there are a few things that can done in your individual site to help ensure a hackless Joomla or Mambo existence.
This tip explains how to move your configuration.php file outside of your webroot as well as making it unwritable by the server. That makes it nearly impossible for someone to corrupt or gain access to the information in the file.
The first step is to move the file. Your webroot is /home/USERNAME/public_html, where USERNAME is your cPanel username. Joomla and Mambo can access files located at /home/USERNAME, but those files cannot be directly accessed from the internet. Login to your favorite FTP program and download your configuration.php from /home/USERNAME/public_html/configuration.php . Rename it to “site.conf” then upload it to /home/USERNAME/site.conf.
Now that we’ve uploaded it to the new location we need to edit the original configuration.php file. Open it in your favorite text editor and replace the contents of the file with the following:
require( '/home/USERNAME/site.conf' ); ?>
Make sure to replace USERNAME with your cPanel username. Then upload the new file to /home/USERNAME/public_html/configuration.php. At this point your site should still function normally.
Next, we need to make the file unwritable by the server. Most FTP programs allow you to do this. Right-click on the /home/USERNAME/site.conf file and select the option to edit permissions (normally “Permissions” or “Info”) and change the permissions to 444. This lets the server read the file without any problems, but it will not be able to edit the file.
If you ever need to edit the file you will need to change the permissions back to 644 before making your changes.
You can view the thread that inspired this post at http://forum.joomla.org/index.php/topic,122450.0.html