Is it possible the remove userID and passwords from the mainfile.php and put it into a separate PHP file inside the trust path? The file with the passwords would later be "included" into the mainfile.php
Yes, it is possible to get out parts or all the mainfile of your web root directory. Search in this site (xoops.org) for security tips.
Recently I tried XoopsCare from Instant Zero. I think you should give it a try. Some features:
1/ Maintain your database (check, repair, analyse and optimize your tables) 2/ Run you own queries when you want 3/ Execute Php code when you want it 4/ Clean templates_c and cache folders 5/ Remove spammed comments 6/ Clean sessions
The module can do its job with a cron or with its block.