If you find multiple wp-blog-header.php, wp-cron.php, and .htaccess files outside of the public folder on your server in WordPress, be careful. These files are most likely malware that propagates automatically.
If you have WordPress files in a location other than the public folder on the server with WordPress
If there are many .php or HTACCESS files located in folders other than the public WordPress folder (www, public_html), such as htpasswd, script, xserver_php, mail, or folders above them, the server is infected with malware and malware damage may have spread to the entire server. If you have a large number of .php or HTACCESS files located in folders other than htpasswd, script, xserver_php, mail, or the folders above them, they may be infected with malware and the malware may have spread to the entire server.
As an example
.htaccess
wp-blog-header.php
wp-cron.php
and moon.php or PHP files with random strings.
If you download these files using FTP software, open them with a text editor, and see the following obfuscation, the malware is automatically spreading the infection to all folders.
PHP files only work on the server, so even if you open the malware with a text editor, it will not infect your PC.
Why is malware generated in every folder at the server location?
The reason for this is that somewhere on the server there is a type of malware called a backdoor that automatically writes malware to every folder on the server.
PHP file malware cannot take effect without access, so it does not make sense if it is outside the public folders, but because of the low quality of the backdoor, it can write a lot of malware not only to the folder where WordPress is located, but also to private folders.
*But if a malicious HTACCESS file is written outside the public folder, it can adversely affect the lower level folders, making it impossible to log in to WordPress or disabling some functions of the administration panel.
How to deal with malware written outside the public folder
If you are sure that the malware is not in the public folder of the server, you can remove it by deleting the file as is.
However, it is possible that a backdoor or other malware may have infected some of the folders where WordPress is located, so it is also necessary to inspect and remove malware from WordPress as a whole. (If you do not delete the main body file of the malware that is infecting WordPress, it will re-infect the WordPress site.)
Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].
We also need to close the vulnerability that allowed hackers to deface the site in the first place.
Reference
Five WordPress security measures
If left unchecked, malware can lead to exclusion from search results, inaccessibility of the site, and users being redirected to other malicious sites where they can be infected with viruses.
If you feel that the situation is out of control, please consider consulting a specialist as soon as possible.