There are two types of file. Those that are interacted with directly (you load them in the URL, they run on the server, then they show you a response), and those you include from other files.
By the looks of things,
bp-mail.php is a file you interact with directly.
This file should not contain your credentials.
If - for some crazy reason - Apache stopped parsing that file as PHP and defaulted to plain-text as it can do (happened to Facebook once) then people would just see your passwords.
Put that file outside of the web route, and use
$config = require(dirname(__DIR__).'/config.php'); or something simple like that to include the file, then just reference the variables in that file.
That config file could look like this:
<?php return [ 'smtp' => [ 'username' => '', 'password' => '', ], ];
bp-mail.php you can use
$config['smtp']['username'];, and if anyone sees that in plain text then who cares.