12
Best if the file owner isn't the same as the web process owner. Set it for read-only as mentioned. You could also set the group ownership to the Apache user and set rights to -440-, now only you (file owner) and the server can read the file.
If you want a little extra paranoid protection besides file level rights you can add this to your Apache config file:
<Files ~ "mainfile.php">
Order allow,deny
Deny from all
</Files>
This prevents a browser request from directly calling the file. I do the same for a selection of other files that are never/shouldn't called from a browser.
If you're using a PHP encryptor app (Zend, mmcache etc.) you can encrypt the file too and it can only be viewed as designed (include(); ).