Configuration files often contain database strings (username/password/host), allowing attackers to dump your entire user database.
Keep your server configurations tight, your sensitive files off the web root, and your directory indexing turned . indexofpassword
Directory indexing is often enabled by default in many legacy server environments. It becomes a security nightmare due to: indexofpassword
Automated backup scripts sometimes drop .sql or .zip files into public-facing folders. indexofpassword