wp-config.php resides in the same directory as index.php, and MUST be readable by the PHP engine. Database access data is stored in this file, so it needs to be hidden from the outside world.
There are several ways to do it but whatever method you use, I think it's better to store this data in a place that cannot be accessed by the webserver itself (there should be no mapping of this location in the webserver configuration).
I implemented this as follows:
1. Store the database data in a separate file, stored on a location without mapping in the server configuration, so the webserver cannot access it - but the PHP engine can.
2. remove this data from wp-config, instead add this statement:
require_once ('the db-access file');
If wp-config.php is now retrieved showing the text, the database access data is not shown, and since the mapping to this data is not within the server's configuration, it cannot be accessed that way.