I recently did a series of articles regarding Types of WordPress Malware Attacks and What They Do and this is just one example of a poor security practice that most people engage in.
For example, this Montenegrin website that can be found by Google Dorking has a backup of the wp-config.php file named c2onfig.txt

If RemoteMySQL access is enabled, the login information in this file can be used to log into the database.
But no need to do that because this website also contains an uninstalled version of InfiniteWP. 🤦

Therefore, you can install InfinityWP on the domain and manage this website as well as many others by using the MySQL login credentials from the residual backup of the configuration file.
Here are some simple methods to check if your WordPress website is also vulnerable to information disclosure: https://wpxss.com/wp-admin/what-is-data-breach-information-disclosure-and-how-to-prevent-wordpress-information-disclosure/#link-check-if-your-website-is-vulnerable