You can store stuff in the directory underneath the webroot and access it through local paths (..\filename.txt) - it can still be got at by your local code; but the webserver will ignore it. You're still stuffed if someone gets at the filesystem (or through FTP); but if they're that far in, you have other problems.
Yeah, that's basically what I'm doing. The only files accessible by the webserver are files that need to be served directly to the user. Everything else is shoved away behind the sofa, so to speak.
And yes, if someone gets access to the file system then I have much larger problems.
Hence my original question. If nothing on my server that could be considered 'sensitive' can be served directly to the user, what else can (or should) I be doing to secure the site? In my mind, I don't think it matters two hoots whether my (down the back of the sofa) source code contains a DB password or not, because if the only way you can get it is through the file system (physically or through FTP, as you mentioned) which particular file stores it is irrelevant, surely?