If there is a one-line include statement @include in the index.php in the top directory of WordPress or in the theme, etc., it is highly likely that the site is infected with malware.


Malware infection by wordpress@include

This malware is the most commonly detected type of malware.
It modifies and embeds include statements with the following characteristics in the top directory of WordPress or in a PHP program called index.php included in the theme.

Random string comments above and below the @include statement
Tampering with a single line of @include that reads another file on the server

What does this tampering do?

The function of this tampering is basically code that reads and executes the body of the malware in a separate folder from index.php, which is executed on every page on the site.

This causes the main malware function to be executed on every page of the site when a user visits the site.
The @ in @include means that the error is not displayed even if the loading destination disappears.

The main body of the malware being loaded by @include is located at the path indicated by the string that follows it, but in many cases it is obfuscated so that it is difficult to tell where it is just by looking at it.
Click here for a tool to remove the obfuscation.

The random string of comments above and below the @include statement are identifiers that the malware itself or other backdoors can use to inspect the malware to see if the embedding has been erased by tampering.

What if @include tampering is found on a WordPress site?

In this case, it means that the WordPress site has already been compromised and hackers are free to tamper with the site. It is highly likely that there are multiple malware embedded or vulnerabilities in the site, not just @include and its body.

Therefore, malware removal and security measures must be taken for all sites on the server.
(If one site on the server is infected, the infection can spread to other sites across folders starting from that site.)

Malware scanning and removal can be done to some extent with plug-ins.
Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

Reference articles on security measures
5 Free WordPress Security Measures