Hi. My name is KevinTMC, and I'm paranoid. And I don't know much about PHP. Which is a dangerous combination.
After installing WordPress, I noticed that if I typed "http://[my blog].us/readme.html", it opened the Readme, even if I wasn't logged into my admin panel. Being paranoid, and knowing that WordPress wouldn't need to do anything fancy with this file, I chmodded it--and license.txt--to 640, so that anyone snooping around trying to figure out exactly which version I was running would get a 404 instead.
But I don't dare 640 all the real working files...yet I sure wouldn't want some random person to be able to read through, say, the contents of my wp-config.php file either.
I did feel a little better when my browser just showed me a blank page when I tried calling up wp-config.php, wp-pass.php, and so on...but perhaps that's just because I don't know what I'm doing. Could anyone with the right browser settings, or other appropriate software, look at the guts of my .php files so long as they are set at 644 or looser? Or should I stop worrying, because the .php files are already protected somehow?