IT IS VITAL that you:
 1) Remove read access to install.php, so your settings are not exposed on the web, and
 2) Remove write access to inc/config_user.php, so your settings cannot be changed from the web.