A good solution is to keep it inside a separate PHP script. In the case of database connection data, this separate script should also connect to the database and then unset the access data variables in order to minimize the risk of data leaks.

https://alexwebdevelop.com/where-store-access-data/

A great security improvement is to keep the access PHP file outside of the web server root directory, so that it cannot be accessed by remote clients.