Be careful with backups of config.php

One big security hole that is all too common with Moodle is to take a backup of the config.php file and give it a non-php extension e.g. config.php.bak.

What this usually does is leave the file visible for viewing by anyone that visits that url e.g. https://yourmoodle.com/config.php.bak

Because the file is not a PHP script, it will be rendered in plain text by the browser, and therefore expose any sensistive information in config.php like your database name, database user and password!