If you have multiple WordPress sites on your server and find that they are infected with malware, here is what to do.
If a backdoor is embedded in one site on a server, it can spread to other folders on other sites on that server.
Most Japanese servers allow multiple domains under a single contract, with WordPress installed and running in the folder of each domain.
The problem is that since these multiple sites share the top folder, some malware may have the ability to jump over the domain folders and spread infection to the folders of other sites.
Therefore, if a malware-infected site is left unattended for an extended period of time, the malware may spread to all sites on the server.
Running Multiple WordPress Sites Safely
1 Never leave an abandoned site on the server.
If you leave a site on your server that is no longer in use, it may be unwittingly hacked and infected with malware and spread from that site to the entire server if the site’s program is outdated and has known vulnerabilities.
We recommend that you delete all PHP and other data from unused sites on your server.
2 Consider the security of all sites on the server.
It is always a good idea to improve the security of all sites on the server.
Make sure you have strong passwords for the WordPress administrator, etc.
Remove unused themes and plug-ins.
Keep plug-ins and WordPress as up-to-date as possible.
Use security plug-ins.
Check for vulnerabilities.
Check for malware regularly, if possible.
These measures should be taken for all sites on all servers.
Reference
Five free WordPress security measures
3 Minimize the number of site installations on one server contract
If possible, we would prefer to host customer sites and other sites on smaller server contracts, no more than 5 sites per contract.
In this case, even if malware infection comes from somewhere, it will only spread to a maximum of 5 sites.
If you have multiple WordPress sites on your server that are found to be infected with malware
In this case, we recommend that you request professional malware removal.
If possible, we also recommend that you delete the unused sites and have all sites on the server scanned for malware, removed, and secured, as there may already be a backdoor embedded in one of the other sites on the server.
Please consider using the WordPress Doctor malware scanning plugin, which provides a free malware scan.
[Free] WordPress:Malware Scanning & Security Plugin [Malware and Virus Detection and Removal].