According to WordPress codex for extra protection of WP-Config.php you can add in .htaccess (at very top):
deny from all
How can I test live if external edit of wp-config.php is blocked? (as long as admin of server, or cpanel user of course I can edit all my files).
I think that every sysadmin or cpanel user who's concerned about cyber security want to test live if his security measures works or not.