I have .htaccess set to Options -Indexes, but that's not enough for someone to guess a directory structure.
What do I need to do to completely prevent someone from having access to these files?
The link example is not my site, but it exercises the problem wherein if someone knows the site hierarchy (in this case, for Concrete5), they can access files directly. In this example, a db.xml file.
2) what file is it we're worried about here? where's the security risk?
But more importantly - I'm not sure this is a huge issue. The software is open source, and the tables are always the same. So if someone knows you're running concrete5 (which they would have to, in order to know to look in that spot.) they'd also be able to just download the software for themselves to learn what tables the system creates. It's not like that file contains any privileged information - it's just the schema for the database.
Now, if it were config/site.php that were readable through the browser, that would be a big deal - but this file is not very sensitive at all.