Thanks, this is great info. Sorry if I sound paranoid or uninformed. I was worried that with web server read access, someone could use wget or something similar to get the source. But as you said, that is not the case. I just tested it out myself and your solution is perfect.
Changed owner (and group) to www-data and we have a working site that is at least as secure as it was before I did my fresh install.
Thanks again for your (quick!) help.
Thanks so much for your quick reply.
Just to confirm, does giving the web server read&write access (640) to a php file containing my database password give relatively easy access to my database password to interested external parties? Or is this a secure way to store it?
