Because we have some custom configuration in our php.ini file we apparently have to store it in the root dir of our site & hence any user would be able to see it.
How I can I block people accessing it via their browser for example?
Try to put this in your .htaccess :
<FilesMatch "php.ini">
Order allow,deny
Deny from all
</FilesMatch>
It denies access to anyone trying to reach php.ini.
Edit: Allow and Order are deprecated in Apache 2.4. You should use Require all denied instead.
<FilesMatch "php.ini">
Require all denied
</FilesMatch>