If for some reason PHP suddenly does not work (due to an update, a damaged configuration file, for example), the files can be sent as HTML, and the login information will be freely available to anyone who will be on the site. I have seen this before.
The best way around this is to move everything from your website except for the index.php file, which includes only one file outside the directory. It also means that your source code will not be compromised if PHP does not work.
eg. /var/www/public_html contains only one file: index.php :
<?php require("../entrypoint.php");
And everything else is located in /var/www . If PHP fails, only index.php will be compromised.
This will make it completely safe, unless your server is at risk or you allow users to execute PHP code, but this is another question. Most modular CMS also disables all connection variables after the connection is initialized, so that one of the modules cannot accidentally expose anything.