Use WordPress and WP Auto Upgrade plugin? Pay attention. I spotted this thread recently while monitoring the WordPress forums. There is a possibility WPAU backup folder is being used as an entry point for hackers.

What you can do: If you’ve used WPAU, make sure you clean up your files after upgrading. If you’re not sure, log into your WordPress, navigate to WPAU, there should be a link to that says to click on it to clean up the log before proceeding. If there is no such link that means you have done it already. Another way to check is to use FTP to look into your wpau-backup folder.

You may also want to delete that folder once you’re done. I’m not sure if this will affect the plugin later on or not, my guess is no. If you’re not comfortable with deleting, move the folder to a non publicly accessible folder – usually outside the public_html. Alternatively, you may want to create an htaccess file inside the wpau-backup folder and enter this code in it, save.

deny from all

That will keep snoopers out of the folder. Consider also telling search engine robots to skip this folder when indexing by adding this to your robots.txt file.

User-agent: *
Disallow: /cgi-bin/