anyway protecting config.php further
surely the config file could be moved to a new directory "locked" which can be fuly htaccessed .. if so how many files would need adjusting to make sure the board still worked>
Why not move it outside of the webroot completely?? Shouldn't be too difficult as any real text editor will be able to do mass search&replace. It's just making sure everything worked afterwards.
Total number of files that'll need to be modified will/should be total PHP files minus config.php minus /includes/*.php.