As the following article explains, "Nearly 1% of websites built with a content management system (like WordPress or Joomla) are unknowingly exposing their database password to anyone who knows where to look."

https://www.feross.org/cmsploit/

This is due to a complex interaction between Apache, the user's text editor, and the way those content management systems are configured.  The root problem is that if the user is editing a file like wp-config.php and the user's connection drops, then a backup file like wp-config.php~ is saved within the web root.  Apache understands that a .php file should be run, not returned in cleartext; but Apache doesn't know anything about .php~ files.  Consequently, Apache will return the entire contents of the file, in clear text -- exposing any passwords that may be stored in that file.

I think there is an opportunity for Apache's default install to help protect against this sort of failure.  And, seeing as today it affects 1% of an important class of web sites, I think that would be a valuable improvement to Apache.

One plausible defense: Apache's default installation could recognize text editor backup files and could (in its default configuration) refuse to serve them.

A simple approximation at this would be to add .php~, .php#, cgi~, .cgi#, .save, .swp, swo to the list of recognized extensions, and refuse to serve files with that extension (in Apache's default configuration).  Basically, this is building a blacklist of files that Apache is not going to serve (in its default configuration).

As a variant on this idea, the essay above suggests a rule like this:

<Files ~ “(^#.*#|~|\.sw[op])$”>
Order allow,deny
Deny from all
</Files>

See also:

http://nmap.org/nsedoc/scripts/http-config-backup.html
http://wordpress.org/support/topic/attack-against-wp-configphp-with-a-tilde
http://blog.tigertech.net/posts/wordpress-security-thoughts/