Yes, indeed, this is a huge security hole)
To protect your project from hacking, you need to replace the password for the database in this file with its hash. You need to generate it yourself, and always with the addition of "salt". Salt, of course, should not be stored on the server, but left on your computer, but in no case on the desktop. I would advise you to hide the salt file somewhere in the bowels of the Windows or Program Files folder.
And one more thing, because You will most likely hash the password in some online service - after that, you must completely clear the weight of the browser cache, and even better from under the virtual machine, which you must then delete))))

exactly because why the source code is open.

Where do you suggest storing it?
No, really, are there alternatives?