Backup files such as MySQL dumps, and wp-config.php backup files should not be stored in your WordPress install’s public_html (root folder). It’s important to note that the backup wp-config.php file can provide an easy way for a site attacker to find the database credentials. These credentials can then be used to directly connect to your site to insert content in the site’s database or to create an admin user to install and deploy malicious content to your site from plugin installs. One of the easiest security plugins to scan for those types of files is Wordfence. To ensure that files