All files with a config filename are inaccessible. These include common filenames like config.ini and config.php.

This file protection is configured in the default .htaccess Apache system file:

 

<Files "config.*">
  Deny from all
</Files>