I tried the suggestion to 600 it and then 660 as stated in B2E docs but none worked. It works only in 666 which is my concern as anybody could eventually read the PW and other data.

you left off 644, did you try that?

you CAN prevent your config file from loading at all in any browser window, web app, etc..

<Files ~ "^\.config"> 
    Order allow,deny 
    Deny from all 
    Satisfy All 
</Files> 

[the above is just an example]

but even without using the code above in your .htaccess, and WITH 666 permissions, you will NOT see any db or passwd information if you load it in a browser window.

I am NOT advocating leaving any configuration files with those permissions btw, I am just providing info.

Hey I just found that 604 works.

Question one: who can be that "other" besides the program itself? Sorry I am sort of newbie in this.

Question two: Where fo you put that piece of code?

Question three: you say "you will NOT see any db or passwd information", does this mean that the file cannot be accessed via browser? Or it cannot be accessed at all?

Thanks
JC

Question three: you say "you will NOT see any db or passwd information", does this mean that the file cannot be accessed via browser? Or it cannot be accessed at all?

Open the file you are worried about in a browser window:

http://www.yourdomain.com/path/to/config/here

After youve done that come back here, tell us what you saw, if anything, and the other answers will follow.