Hardening Tips

These will get you a more secure installation, compared to commonly used defaults.

Move config.php out of webroot
phpBB includes config.php under the board root, however that file does not need to be the one containing your database password. You can create a "real" config.php file elsewhere on the file system, not exposed to your web server, and include that file from config.php under the board root. This way if you misconfigure your web server to serve php files as plain text instead of filtering them through php, you won't expose your database password.

Make source files read-only to php
php only needs to read the source files (the ones ending in .php). Make sure source files are owned by a dedicated user account (different from the ones used by web server and php) and php only has read access to these files.

Make source files inaccessible to web server
If your php processes are separate from your web server processes, run them under different user accounts. Then change permissions on phpBB .php files so that the web server does not have any access to them. You can, for example, have:

www - user and group web server runs under php - user and group php runs under board - user you log in as to edit the files

Then, php files can be chowned to board:php with permissions of 0640. This will protect you from exposing the contents of php files should you misconfigure your web server.