Known conflicts with password protected or under construction websites.
There is a problem with some of the security tests when you run them on a website with a maintenance or a coming soon plugin installed and activated.
By definition, these plugins block requests to sections of your website and redirects to another URL or show different content than anticipated. This means some tests are showing the wrong result as a result.
One such example is the test for the readme.html file. The test is carried out via visiting the URL for the file and checking the result. This test could also have been done just checking via the filesystem, but this is the most accurate way to test for sites that hide that they run WordPress.
What about the firewall?
You can still have the firewall activated, this feature helps protect the website from malicious page requests also when under maintenance for those requests that do not get redirected.