Someone at stackoverflow suggested I should deny access to the two files by doing below in .htaccess.
<files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </files> <files wp-config.php> order allow,deny deny from all </files>
The problem is it screwed up my installation of W3 Total Cache plugin cos it needs to write to those files.
Since my htaccess and wp-config were hacked a few times, what is the best way to protect these files?