In your case the error message is right (but maybe the message is not that clear).
What it tries to say: People can access your config.ini.php, there is no webserver rule that denies the access and returns e.g. a 403 Forbidden.
But people also can’t see the content of your config.ini.php (it should be kept secret) as it is executed as PHP which does nothing, but return “;”.
So this is no issue now, but if you would one day accidentally mess up your webserver config so that PHP files are no longer executed, but delivered like html files, people will be able to read the content of the config.
I have seen this happen quite easily with Apache, so that’s why there is now a warning in Matomo.
On how to fix this:
If you use Apache, this should not happen anyway as the .htaccess files should block access.
If you use nginx, take a look at https://github.com/matomo-org/matomo-nginx/
If you use another webserver, you’ll have to create your own rules inspired by the above two.