>>70
>Although it's suspicious inc/config.php has empty MySQL credentials…
How is that suspicious?
The credentials are in inc/secrets.php because otherwise they would be tracked and included in the open source repository.

As far as I know the inc/config.php shouldn't even be modified.
If the admin wants to change something in the $config variable, it should either be defined on inc/instance-config.php or inc/secrets.php.