This isn't a problem with public/private repositories. It's possible to commit the config files for Wordpress without exposing your passwords - you just have to not be lazy about it, and store the actual values in the environment or pull them from a file you don't commit with everything else.