We would like to explain from our experience whether WordPress malware can infect the server itself (Apache).


What is a server in WordPress?

WordPress runs on the rental server you have signed up for.
In order to run WordPress, the following programs must be installed and running on the server, and many rental servers may already have them installed and running.

Linux
This is the operating system on which the server is running. The following three software programs are running on this OS

Apache
Software that sends HTML code to the browser.

Mysql database
Software that stores WordPress settings and text data

PHP
PHP is basically a programming language that pulls WordPress information from the database, processes it, and combines it with HTML for output. WordPress is a system written entirely in PHP as the programming language executed on the server side.

Can WordPress malware infect a server?

For shared servers

There are two types of servers: shared servers and dedicated servers. A shared server is a type of server where the software configuration is determined by the server management company and is shared by multiple users.

In this case, if the server software, such as Linux, Apache, Mysql, PHP, etc., has been fundamentally hacked in such a way that the hacker can change it at will, the server root privileges have been taken away, and this is a serious situation.
All user sites within it are at risk.

In our experience, in the case of shared servers, the server management company is responsible for maintaining security on the server side, and we have never seen a major company’s shared server fundamentally hacked.
If the server itself has not been hacked, in most cases the responsibility lies with the user as a result of poor WordPress security management on the user’s side.

Almost all folders on a shared server have been compromised.

However, there are often cases where a single server user has a folder containing sites from multiple domains, all of which are infected with malware.

This is caused by a weak WordPress administrator password or a vulnerability in a WordPress plugin that allows hackers to infiltrate WordPress and spread malware beyond the domain folders.

Reference
What is a WordPress program vulnerability?

Even in this situation, the core software on the server side, such as Linux, Apache, Mysql, and PHP, is intact and has not been tampered with in any way.

Dedicated Server

A dedicated server is a type of server where the user has root privileges and can decide (install) the server software configuration itself.
VPS is also included in a dedicated server in a broad sense.

On a dedicated server, the user is also responsible for the security of the server itself, which means that server security must be considered in addition to WordPress security.

If a dedicated server is breached, the server itself can be installed with malware that runs on a programming language other than PHP that performs some kind of malicious activity.

Also, the root privileges of the server, not the WordPress administration panel, may be taken away. In this case, any site running on that server, including WordPress, can be modified in any way.

For this reason, we do not recommend that companies that do not have a dedicated server security technician install WordPress on a dedicated server, as it runs well on a shared server.

Free WordPress: Malware Scanning & Security Plug-in [Malware and Virus Detection and Removal]