Maikuolan
commented
4 years ago For Apache servers, placing a dot in front of the filename, like .file.json, will automatically hide the file from external requests, so may be a viable way to improve the security of the file in the case of Apache servers. However, that mechanism is unfortunately only an Apache thing, so won't make any difference in terms of security for users using other kinds of server software, like Nginx and so on.
the .json file might be served by apache if it is not protected by .htaccess, although the file doesn't have passwords in plain text format, the risk is still huge, it can be cracked with dictionary based attacks if the user was using a common password. there need to be way to store the file, may be place it outside the root (version 2 did that)