Someone at stackoverflow suggested I should deny access to the two files by doing below in .htaccess.

<files ~ "^.*\.([Hh][Tt][Aa])">

order allow,deny

deny from all

satisfy all

</files>

<files wp-config.php>

order allow,deny

deny from all

</files>

The problem is it screwed up my installation of W3 Total Cache plugin cos it needs to write to those files.

Since my htaccess and wp-config were hacked a few times, what is the best way to protect these files?