diff --git a/.gitignore b/.gitignore
new file mode 100644
index 00000000..7dab78d4
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,5 @@
+/hashover/comments/
+/hashover/config/secrets.ini
+/hashover/config/blocklist.json
+/hashover/config/ignored-queries.json
+/hashover/config/settings.json
diff --git a/hashover/admin/views/settings/index.php b/hashover/admin/views/settings/index.php
index 86828e7a..f66bf452 100644
--- a/hashover/admin/views/settings/index.php
+++ b/hashover/admin/views/settings/index.php
@@ -411,7 +411,7 @@ function settings_array (Setup $setup)
 			$submitted = true;
 		} else {
 			// Set submission indicators
-			$title = 'Failed to Settings!';
+			$title = 'Failed to save Settings!';
 		}
 	}
 
diff --git a/hashover/backend/classes/secrets.php b/hashover/backend/classes/secrets.php
index 8ce3777f..7744ebfb 100644
--- a/hashover/backend/classes/secrets.php
+++ b/hashover/backend/classes/secrets.php
@@ -7,22 +7,6 @@
 // This applies worldwide. If this is not legally possible, I grant any
 // entity the right to use this work for any purpose, without any
 // conditions, unless such conditions are required by law.
-//
-//--------------------
-//
-// IMPORTANT NOTICE:
-//
-// To retain your settings and maintain proper functionality, when
-// downloading or otherwise upgrading to a new version of HashOver it
-// is important that you preserve this file, unless directed otherwise.
-//
-// It is also important to choose UNIQUE values for the encryption key,
-// admin name, and admin password, as not doing so puts HashOver at
-// risk of being hijacked. Allowing someone to delete comments and/or
-// edit existing comments to post spam, impersonate you or your
-// visitors in order to push some sort of agenda/propaganda, to defame
-// you or your visitors, or to imply endorsement of some product(s),
-// service(s), and/or political ideology.
 
 
 class Secrets
@@ -38,4 +22,24 @@ class Secrets
 
 	// Login password to gain admin rights (case-sensitive)
 	protected $adminPassword = 'passwd';
+
+	protected function getSecretConfigPath() {
+		return dirname(dirname(__DIR__)) . '/config/secrets.ini';
+	}
+
+	function __construct() {
+		$config_file_name = $this->getSecretConfigPath();
+		if (!file_exists($config_file_name)) {
+			throw new \Exception (sprintf (
+				'Please create the file %s (using secrets.ini.sample as a template)',
+				$config_file_name
+			));
+		}
+
+		$arr = parse_ini_file($config_file_name);
+		$this->notificationEmail = $arr['notification-email'];
+		$this->encryptionKey = $arr['encryption-key'];
+		$this->adminName = $arr['admin-name'];
+		$this->adminPassword = $arr['admin-password'];
+	}
 }
diff --git a/hashover/backend/classes/settings.php b/hashover/backend/classes/settings.php
index 04cce887..f2b743d0 100644
--- a/hashover/backend/classes/settings.php
+++ b/hashover/backend/classes/settings.php
@@ -137,6 +137,8 @@ class Settings extends Secrets
 
 	public function __construct ()
 	{
+		parent::__construct();
+
 		// Theme path
 		$this->themePath = 'themes/' . $this->theme;
 
@@ -192,10 +194,13 @@ function isHTTPS ()
 		return false;
 	}
 
-	// Returns a server-side absolute file path
+	// Given a path relative to the HashOver root directory,
+	// returns the server-side absolute file path
 	public function getAbsolutePath ($file)
 	{
-		return realpath ($this->rootDirectory . '/' . trim ($file, '/'));
+		// NB: Not using realpath() here to allow working with paths not
+		// pointing to existing files, and to avoid unnecessary symlink resolution.
+		return $this->rootDirectory . '/' . trim ($file, '/');
 	}
 
 	// Returns a client-side path for a file within the HashOver root
diff --git a/hashover/backend/classes/setup.php b/hashover/backend/classes/setup.php
index 855a504a..f70e5c65 100644
--- a/hashover/backend/classes/setup.php
+++ b/hashover/backend/classes/setup.php
@@ -111,7 +111,7 @@ public function __construct (array $usage)
 		if ($this->notificationEmail === 'example@example.com') {
 			throw new \Exception (sprintf (
 				'You must use a UNIQUE notification e-mail in %s',
-				$this->getBackendPath ('classes/settings.php')
+				$this->getSecretConfigPath()
 			));
 		}
 
@@ -119,7 +119,7 @@ public function __construct (array $usage)
 		if ($this->encryptionKey === '8CharKey') {
 			throw new \Exception (sprintf (
 				'You must use a UNIQUE encryption key in %s',
-				$this->getBackendPath ('classes/settings.php')
+				$this->getSecretConfigPath()
 			));
 		}
 
@@ -127,7 +127,7 @@ public function __construct (array $usage)
 		if ($this->adminPassword === 'password') {
 			throw new \Exception (sprintf (
 				'You must use a UNIQUE admin password in %s',
-				$this->getBackendPath ('classes/settings.php')
+				$this->getSecretConfigPath()
 			));
 		}
 
diff --git a/hashover/config/blocklist.json b/hashover/config/blocklist.json
deleted file mode 100644
index 0637a088..00000000
--- a/hashover/config/blocklist.json
+++ /dev/null
@@ -1 +0,0 @@
-[]
\ No newline at end of file
diff --git a/hashover/config/ignored-queries.json b/hashover/config/ignored-queries.json
deleted file mode 100644
index 0637a088..00000000
--- a/hashover/config/ignored-queries.json
+++ /dev/null
@@ -1 +0,0 @@
-[]
\ No newline at end of file
diff --git a/hashover/config/secrets.ini.sample b/hashover/config/secrets.ini.sample
new file mode 100644
index 00000000..06968e02
--- /dev/null
+++ b/hashover/config/secrets.ini.sample
@@ -0,0 +1,25 @@
+; IMPORTANT NOTICE:
+;
+; To retain your settings and maintain proper functionality, when
+; downloading or otherwise upgrading to a new version of HashOver it
+; is important that you preserve this file, unless directed otherwise.
+;
+; It is also important to choose UNIQUE values for the encryption key,
+; admin name, and admin password, as not doing so puts HashOver at
+; risk of being hijacked. Allowing someone to delete comments and/or
+; edit existing comments to post spam, impersonate you or your
+; visitors in order to push some sort of agenda/propaganda, to defame
+; you or your visitors, or to imply endorsement of some product(s),
+; service(s), and/or political ideology.
+
+; E-mail for notification of new comments
+notification-email = example@example.com
+
+; Unique encryption key (case-sensitive)
+encryption-key = 8CharKey
+
+; Login name to gain admin rights (case-sensitive)
+admin-name = admin
+
+; Login password to gain admin rights (case-sensitive)
+admin-password = passwd
diff --git a/hashover/config/settings.json b/hashover/config/settings.json
deleted file mode 100644
index d77b96e5..00000000
--- a/hashover/config/settings.json
+++ /dev/null
@@ -1,51 +0,0 @@
-{
-	"language": "auto",
-	"theme": "default",
-	"uses-moderation": false,
-	"pends-user-edits": false,
-	"data-format": "xml",
-	"default-name": "Anonymous",
-	"allows-images": true,
-	"allows-login": true,
-	"allows-likes": true,
-	"allows-dislikes": false,
-	"uses-ajax": true,
-	"collapses-interface": false,
-	"collapses-comments": true,
-	"collapse-limit": 3,
-	"reply-mode": "thread",
-	"stream-depth": 3,
-	"popularity-threshold": 5,
-	"popularity-limit": 2,
-	"uses-markdown": true,
-	"server-timezone": "America\/Los_Angeles",
-	"uses-user-timezone": true,
-	"uses-short-dates": true,
-	"time-format": "g:ia",
-	"date-format": "m\/d\/Y",
-	"displays-title": true,
-	"form-position": "top",
-	"uses-auto-login": true,
-	"shows-reply-count": true,
-	"count-includes-deleted": true,
-	"icon-mode": "image",
-	"icon-size": 45,
-	"image-format": "png",
-	"uses-labels": false,
-	"uses-cancel-buttons": true,
-	"appends-css": true,
-	"appends-rss": true,
-	"login-method": "defaultLogin",
-	"sets-cookies": true,
-	"secure-cookies": false,
-	"stores-ip-address": false,
-	"allows-user-replies": false,
-	"noreply-email": "noreply@example.com",
-	"spam-batabase": "remote",
-	"spam-check-modes": "php",
-	"gravatar-force": false,
-	"gravatar-default": "custom",
-	"minifies-javascript": false,
-	"minify-level": 4,
-	"allow-local-metadata": false
-}