Website Security Tips
Because someone can easily view your code by entering the file name after the URL
such as mysite.com/script.js
Again, someone could tamper with it
aka sanitize input. Find out more about sanitation here
For the fourth one, it is just better to store it all on a server or a database or something... If someone sees a file with a weird name, it will make the person curious and want to click it... It is known that passwords are either stored in something very generic like passwords.txt or some weird name, given that the person has the passwords public though. It is honestly better to use an authentication API on a server that reads hashes from a local file that is not hosted by the server.