We use inmotionhosting.com and the .user.ini file is accessible by default.
Added the following code to .htaccess file and it took care of it:
<filesMatch “\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$”>
Order Allow,Deny
Deny from all
</filesMatch>
Reference Article: https://www.inmotionhosting.com/support/website/protecting-files/restrict-public-access-php-ini
