Check for `.sql` files that could be easily publicly-exposed

For instance, `{DB_NAME}.sql` in the web root or `wp-content` directory can be easily guessed.

However, we shouldn't flag SQL files generated by backup plugins and similar that either live in obscured directories (some hash appended) or are protected by `.htaccess` files.