What I usually do in these cases is allow for a two layered configuration where the default set of properties is versioned and committed with the source, but then developers can supply an external file that will be used if discovered, and will replace the defaults on a per setting basis. This is not only useful for externalizing credentials, but it also lets you default things like thread count, connection pool size, etc.. that can be overridden if desired. Importantly, they can see the full structure always. You your self would have your own external overrides file with the real credentials you use. But the defaults are fake ones that you check in.
I know you are using PHP, for java as an example, it would look roughly like this:
Properties defaultProps = loadDefaults();
Properties overrideProps = loadOverridesIfFound();
for(String name : overrideProps.keySet()) {
defaultProperties.put(name,overrideProps.get(name));
}
I have found this technique to be very effective for many projects.