If you're interested in learning more about securing your deployments, I can:
You can add Disallow: *.txt to your robots.txt , but this only stops honest crawlers. Malicious actors ignore robots.txt. Inurl Userpwd.txt