Have you ever renamed a PHP file in your WordPress installation appending a .bak or .old or something like that to the end of the filename? If your answer is yes, you may be exposing your site to a severe security risk.
Altering the name of a .php file as described above means your server is not going to process the file as a PHP file anymore, the server will allow a visitor to download or open the file as a plain text file. Therefore someone trying to find vulnerabilities in your site would be able to read the contents of your renamed PHP files.
If the renamed file doesn’t contain any sensitive data, it’s just code, maybe it’s not something to worry about, but if you did that to an important file of your WordPress, as the wp-config.php file, you’re allowing a potential attacker to know very sensitive data. And yeah, that’s something to be really worried about!