Hello John,

The content of this file can only be read if you access via FTP and otherwise the data cannot be read since it is executed as PHP file.

The visitors of the website will never be able to read them.

Many thanks!

Hello Jon

Storing log-on-information in a php-file is quite common.

Also database information/credentials is normally stored this way.

If you are very keen on security, you should be aware of your PC. If it is not password-protected or is kept alone, you should know that the /res/access.inc.php file is also on your PC. And here it can be accessed by anyone who knows where the file is, and has access to the PC.

Thanks for your replies.  The concern is still the same.

The file exists in multiple locations: the server, server backups, local copy on any machine the website is worked on/tested on, any copy that happens to be stored remotely (cloud/flash drive).

Visitors might not be able to view this data, but anyone who gains access to these locations could.  This includes not only unauthorized access to the file (hacker/stolen laptop/lost thumb drive), but also somebody who has legitimate access to the file such as an employee.  A mis-configured server could also make it a downloadable file.

Best security practice is to encrypt all passwords.  My current project doesn't require users, so I am not worried about it at the moment, but I will certainly think about another way of implementing users if there is a need in the future.