Quote:

But in general, I wouldn't recommend that the webserver user is also the file owner - group is ok, but not owner.

Best if the file owner isn't the same as the web process owner. Set it for read-only as mentioned. You could also set the group ownership to the Apache user and set rights to -440-, now only you (file owner) and the server can read the file.

If you want a little extra paranoid protection besides file level rights you can add this to your Apache config file:
<Files ~ "mainfile.php">
Order allow,deny
Deny from all
</Files>

This prevents a browser request from directly calling the file. I do the same for a selection of other files that are never/shouldn't called from a browser.

If you're using a PHP encryptor app (Zend, mmcache etc.) you can encrypt the file too and it can only be viewed as designed (include(); ).

try deleting the file then re-uploading it with the 444 chmod