Unencrypted mysql connect info in files with 644 permissions is quite common... probably because it's the only place to put it. As long as nobody has ftp access to your site, it's not really a risk.

If you have decent virus/anti malware on your computer to detects RATs, and don't store your ftp login info in your ftp program, you're pretty safe.

Most of the iframe injections on servers are not done with the intent of hacking the server. It is usually the hackers intent that the iframe be see more inserted, and the site continue to operate normally, so that visitors to the page will have a RAT planted on their computer.... so that computer will become part of a bot net..... which hackers can sell for big $$$. The worst case scenario for having these RAT distribution hidden iframes on your site, would be to have Google index your site while they are present.... I can't think of a worse fate for a site, than to be blacklisted by Google.

With that said, I don't think it's Boonex's responsibility to keep other peoples servers and personal computers secure. It's not Boonex's responsibility to prevent uninformed web site owners from becoming their own worst enemy. That's up to the web site owner. Where Boonex's responsibility lies, is ensuring that the script itself is not vulnerable to things like XSS and SQL injection attacks.... not to form some sort of witless protection program.

If someone has ftp access to your site, unencrypted passwords in files are the least of your worries. Just let me upload a few php files to your shared server, and I'll have shell access. From there, I could take down every site on the server.