If enabled, a daily cleanup process cleans up unneeded files from your WordPress installation. Access to .bak, .sql and other files are blocked via the firewall module.
These files are not needed, but are sometimes created automatically. For instance a plugin might make a copy of your wp-config.php files before making changes.
If the backup file is not removed afterwards a hacker could try to locate that file and read its contents. This would give the attacker access to your database password and from there get complete control.
Although it is a very simple step towards your security, removing these files are often forgotten so Security Ninja can help you by looking for and deleting the most common filenames.