Actually, you can get excited.
There may be a case of niginx + backend misconfiguration (maybe there are cases of backend failure, but I have not seen this, but what the hell is not joking), when php scripts are not correctly processed by the backend and, instead of the normal interpretation process, the script will be given to the plain text to the client.
To minimize the potential damage from this, you should:

• make a single entry point to the application, (index.php in public_html and nothing more);
  
• engine (framework) scripts, configs, etc., to which the client should not have access in any case, should be moved outside public_html.
  

as an option, you can put all constants, such as name and passwords, in a separate file and chain it as needed. Here there is a convenience to share a piece of code without glossing over the lines with passwords / tokens

Take out the authorization data always in the configuration file.
It will be easier when transferring the resource somewhere.
As for adding them to PHP files, there are a million situations when, due to incorrect configuration of the web server, users were given a PHP file in its original text form. Do you need it?

If a handler is configured for .php files, then it's fine.

Don't listen to them, they give you pointless advice. All these options are similar to how to take cover from bullets with an umbrella. Nobody from the browser will look at your PHP code, and a lot of sites work this way.
Some of course store all this data in separate configs (for example, config.php). But if your FTP is hacked or your hosting is accessed, then there is no escape.
Bottom line: Don't worry, just keep cutting your code and don't listen to these useless tips above :) They won't save your site.

.htaccess close direct file access