.bak file - security risk
The back-up file is automaticly created, but when programming with for example a file like “config.php” where you store passwords, the back-up file, also uploaded is readable trough the web. So your passwords are free to grab. “config.php.bak” wont act like a php file, so is plain text.
I think this is a big security risk.
Then don’t upload it?!!
And storing passwords in plain text in files is not what you should do anyway.