E. g. Wordpress suggests as default permission '644' for its 'wp-config.php'.
I assume (but not know) that this setting grant all users ->known on the server<- at least read permissions.
I further assume that the term 'others' do not include an arbitrary user who access my side via http(?).
Background: I have a php script with access to an api service and which contains sensitive api login credentials. I'm now puzzled if anybody with internet access could read this data inside my script if I use 644 for it??
This permissions are related to local system users, not website visitors.
First number is for file owner, second for owner group and the last one is for all other users that not belong to owner group.
6 allows writing to file, 4 only read from it.
And to answer your last question, only user from server will be able to read that file. Not everyone that visits website (unless server will not parse php because of some configuration errors).