A really simple way to "hack" into someone's site is by checking for common filenames with backup extensions. For example, check this google search for config filetype:php~
Since backup files don't always contain the correct extension to be processed properly, the httpd usually sends them as plain text. The lines below should be placed in your httpd.conf to block these requests across all sites on your server. If you don't have httpd.conf access, these lines can go into a .htaccess file. For .htaccess, make sure to place it in the root web directory so it covers all of your subdirectories.
# Block requests for emacs/vi standard filename~ files <Files ~ "\~$"> Order allow,deny Deny from all Satisfy All </Files> # Block requests for anything like filename.old <Files ~ "\.(bak|old|2|copy|tmp|swp?)$"> Order allow,deny Deny from all Satisfy All </Files>