I need to avoid hackers from using echo $db_username in php to view encoded config files by creating new.php and add in it:
include"/home/user/public_html/config.php";
echo $db_host;
echo $db_username;
echo $db_password;
echo $db_name;
I installed mod_security for apache, Can you give me the rule to avoid this ?
No one can include your file from a remote address for a security reason. You just need to check in your php.ini file that allow_url_include is set to OFF (Already set to off by default, but just in case).
If someone will try to include your file from a remote address, when allow_url_include is set to OFF, he will get this errors:
Warning: include(): http:// wrapper is disabled in the server configuration by allow_url_include=0 in /Path/To/file.PHP on line x
Warning: include(http://www.yourserver.com/dir/config.php): failed to open stream: no suitable wrapper could be found in /Path/To/file.PHP on line x
Warning: include(): Failed opening 'http://www.yourserver.com/dir/config.php' for inclusion (include_path='.;INCLUDE_PATH') in /Path/To/file.PHP on line x
EDIT: Look, you can't protect your site in 100%, even Facebook is not "so secure" like you think, for example: eBay was hacked in 21.5.14 . What you can do is try to protect everything that will make the hackers work really hard to try get a control on your system. Here you can see a lot of attacks (not all of them is web-based attacks), read about them, all of them have a solution. Owasp attacks page. If your site is properly secured, the hackers will not get a control on your system, they will not get an access to your document_root and will not read your config file.
Easily put: You should put config file outside of the html-root for best security. You shouldn't be worried about someone creating a new php-file. You should worry about someone accessing your server instead.