If you find multiple wp-blog-header.php, wp-cron.php, and .htaccess files outside of the public folder on your server in WordPress, be careful. These files are most likely malware that propagates automatically.

If you have WordPress files in a location other than the public folder on the server with WordPress

If there are many .php or HTACCESS files located in folders other than the public WordPress folder (www, public_html), such as htpasswd, script, xserver_php, mail, or folders above them, the server is infected with malware and malware damage may have spread to the entire server. If you have a large number of .php or HTACCESS files located in folders other than htpasswd, script, xserver_php, mail, or the folders above them, they may be infected with malware and the malware may have spread to the entire server.

As an example
.htaccess
wp-blog-header.php
wp-cron.php
and moon.php or PHP files with random strings.

If you download these files using FTP software, open them with a text editor, and see the following obfuscation, the malware is automatically spreading the infection to all folders.

PHP files only work on the server, so even if you open the malware with a text editor, it will not infect your PC.

Why is malware generated in every folder at the server location?

The reason for this is that somewhere on the server there is a type of malware called a backdoor that automatically writes malware to every folder on the server.

PHP file malware cannot take effect without access, so it does not make sense if it is outside the public folders, but because of the low quality of the backdoor, it can write a lot of malware not only to the folder where WordPress is located, but also to private folders.

*But if a malicious HTACCESS file is written outside the public folder, it can adversely affect the lower level folders, making it impossible to log in to WordPress or disabling some functions of the administration panel.

How to deal with malware written outside the public folder

If you are sure that the malware is not in the public folder of the server, you can remove it by deleting the file as is.

However, it is possible that a backdoor or other malware may have infected some of the folders where WordPress is located, so it is also necessary to inspect and remove malware from WordPress as a whole. (If you do not delete the main body file of the malware that is infecting WordPress, it will re-infect the WordPress site.)

Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

We also need to close the vulnerability that allowed hackers to deface the site in the first place.

Reference
Five WordPress security measures

If left unchecked, malware can lead to exclusion from search results, inaccessibility of the site, and users being redirected to other malicious sites where they can be infected with viruses.

If you feel that the situation is out of control, please consider consulting a specialist as soon as possible.

Related Posts:

  1. Small.php malware proliferating in various WordPress servers
    We will explain about small.php, a malware that has been expanding recently....
  2. Example of malware spreading to initial subdomain folders of a server
    Many of today’s malware spread infection to all folders beyond the domain folders in the server. In this article, we will discuss the infection of initial subdomain folders on unused servers, which is often overlooked....
  3. How to stop the execution of PHP programs in the wordpress security improvement upload folder
    You can improve security by preventing the execution of PHP programs in the upload folder of WordPress uploaded images and other folders that contain only static files outside of WordPress....
  4. What to do if you have multiple WordPress sites on your server and find that they are infected with malware
    If you have multiple WordPress sites on your server and find that they are infected with malware, here is what to do....
  5. WordPress HTACCESS has been tampered with and access to the admin panel is no longer possible
    Recently, a type of malware has become popular in which a WordPress site is tampered with, and although the site can be displayed without problems, the administrator screen cannot be accessed. We will explain how to deal with this case....
  6. What to do when multiple (or all) sites on a single server are infected with malware
    We are seeing an increasing number of cases of multiple WordPress sites on multiple domains within a single server, all or many of which are infected with malware (viruses and tampering)....