Yeah, these are false flags… and this plugin’s design looks to be not-so-great because it says there is an “unknown” or “severe” issue but it doesn’t tell you what the issue actually is.
For ClassicPress, you might try Shield Security instead: Shield Security now tailored for CP