I wonder if we can add an .htaccess file to block serving specific files. We should also add one to block other folders like core/. I am not very familiar with the htaccess format, so people are welcome to contribute their suggestions.

AFAIK, the packaged versions in linux already move config_inc.php out of the webroot extacly for the reasons you are stating

Since this affects only those installing manually from sources, I think it would be enough to note this issue (with possible workarounds) in the installation instructions.

Agreed with the need to make the location of config_inc.php relocatable outside of the web root. I already do the same thing (hard coded changes) when installing MantisBT from source.

I believe we support having an env variable point to the config_inc.php We could add a check to admin/check/ page which would direct admins to move config_inc.php out of htdocs and include it in a local one or point to it using the env variable.