By default, the Django database host/user/password are stored in the project settings.py file in plain text.
I can't seem to think of a better way at the moment, but this seems to be against best practices for password storage. Granted, if an attacker has access to the settings file, then all is probably already lost. Even if the the file were encrypted, the attacker would probably have the means to decrypt it by then.
Is this okay?
Yes, it's standard procedure for any database communicating program. There really isn't a "better way" to do it.
There are ways to help prevent invalid hosts from connecting (ip tables, private ip addresses), but the actual connection details are almost always plain text.
Storing the file outside of the web root will help some, but if the attacker has access to the file system it won't matter.
You are correct. But you can increase security by:
Setting the permissions correctly (this will depend on your set up). Ideally only python should be able to read the file.
Storing the file out of the www or htdocs root. If at this point an attacker still has access to them, you are screwed anyways.
For added security, you can encrypt the connection settings using symmetric encryption (eg: AES). Store the key somewhere else. So even if someone managed to access the connection settings, they'd still need to find the key. The main drawback is that now you have to rewrite the connection method.