As a general rule, the permissions of a PHP file should take one of two sets of values, either 644 or 600.
644 – A PHP file needs to be world readable if it is to be called via your web browser (meaning it is being processed by Apache). Do not include important passwords or secret keys in world-accessible files, as this opens your site up for those with malicious intent.
600 – For include files, typically containing unique keys or passwords (e.g. MySQL credentials, PayPal API Keys). If a PHP file is not accessed directly via your web browser (only referenced via other PHP files), use these permissions.