I lost an hour because Matomo, my non-invasive web analytics tool, was installed in a way that made it easy to read PHP files that let anyone get the MySQL password. So, I had to fix all that and change the password, which I didn't remember how to do. (Fortunately, that database has only web analytics information in it. Hackers could have destroyed valuable data about visits to smidgeo.com
This all is partly my fault, but also as Dan
says, it's way too easy to configure PHP in an unsecure way. Unlike server apps in which you proxy API requests in the web server to a specific app, PHP generally has you just configure your web server to just execute php files. So, if someone knows you probably have a `popular-php-thing/reset.php`, they can just run that.
Further, Matomo puts secrets in PHP files in subdirectories of the directory they want you to be made available to the public. So, it's on you to say, OK, let people at `/piwik/` but not `/piwik/config`. Better choices could have been made here.
In conclusion, I don't like that I had to do something I didn't want to spend time on, but no, I can't think of a better alternative.