I did read that before posting and didn’t find anything on moving that file out of the public directory.
/wp-admin/ — the WordPress administration area: all files should be writable only by your user account.
Just because they can’t write to it doesn’t mean that they can’t possibly view it and see all the connection information in clear text.
I know that part of my responsibility is to secure all the directories properly but being able to move that critical file into a private directory seems like a pretty basic security practice.
