Backup files (.bak, .old, .zip, .sql, ~ files left by editors) are sometimes accidentally left in a site's public folder during development or migration — these often contain full database dumps or complete site copies that bypass every access control your live site has.
Backup files (wp-config.bak, database.sql, site.zip) often contain plaintext credentials. They're frequently left in web roots during migrations and never removed.
No backup-pattern files are accessible via direct URL request, and a server-level rule blocks the common extensions as a backstop.
Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.
Run this check in H.I.V.E. →