Learning from others mistakes - move configs out of your boot loader
I'm a keen believer of learning from other folks mistakes and attempting to not repeat them. Source code disclosure and even worse configuration disclosure which happened with tumblr. One thing to remember, if you keep your configuration for your app outside your webroot, you reduce the chances of you actually accidentally disclosing your configuration. Typically one could even do something like:
require_once dirname(dirname(__FILE__)) . '/bootstrap.php';
Rather than having everything in your index.php file. Separating your configuration directives out to a separate configuration file outside the webroot and modifying that when making changes.
One can use your version control pre commit scripts to check that you've not borked a the file - checking for php scripts being of a file type php script vs file is one way of doing this - foo.php contains a php script starting with "i?php" and bar.php has same code starting with "
$ file foo.php foo.php: PHP script text $ file bar.php bar.php: ASCII text