As logic_earth says, in the event your server has been rooted (which is actually the worst nightmare we can have in this business), you are seriously screwed.
In these scenarios it is best to actually think about this as the person breaking in, compared to as the developer writing the script. Let’s setup a few cases and what could happen.
1. You have used ioncube or zend on the files.
This does protect your files from being initially reviewed, and of course the salt string to be shown.
However, it will not take too long with some investigation and using debugging + use of reflection to get the information you need. Of course by having root access, you would have put these files into a tarball and downloaded them. Please note that no matter the restrictions you have on the encrypted files/license, it wont be a problem to manipulate yourself around those and run the files on a local server.
In addition you would of course dump the information you needed from the database, so you have it for the future.
2. You have left the files open.
In this case the person has access to review the files and get the salt string right away without too much work. And of course he would then get the database information.
As you can see out of the two, the first one will give you a little more protection, especially if the rooting was done by a script kiddie. But only then.
In addition, in both cases as the intruder I would be updating your system so that it would leave me a backdoor in case I lose root, but also update it so it would also store your users passwords in clear text the next time they logged in. That way I don’t need to brute force some of them.
Please note that this is just as SIMPLE to do no matter if the files are encrypted or not. In the event they are encrypted all you need to do is rename the real file to a new filename, and create a new file where you store the content of the POST first, and then include the real file.
So in short, if the server get rooted/breached you are really screwed since that equal to give the intruder access to everything, and your code can be as secure as possible but unless the server is also updated and secured, it is not really worth that much. If you do not trust a hosting service, I would stay far away from it if your planning to host anything else than personal websites.