I work as a front end developer at a company. This site is using WordPress and I need a paid plugin, but I wanted to test the full version first without paying, so I googled it. Downloaded it and installed it right away.
NOTE I was working on the test server, where all other projects are placed in a subdirectory of public_html (public_html/websites/<other websites>), but instead on placing the website folder where are the others, I placed it in the parent directory (public_html), (where are some others folders and files). Everything goes fine, but a few days later, I wanted to modify something in functions.php of that theme and I noticed a strange code, base64 format, so I decrypted it and turns out it's a backdoor that puts code in other files of the theme, so it can add an Admin in the DB anytime, so it can remotely connect to the website. Because, as I said, the website was in the public_html directory, and the virus search for the other folders and files in the same directory and his children, it affected the rest of the websites (50+).
I reported that to my boss, but says it's fine and to give more attention next time and to install the website in the same directory as the others. Couldn't fix automatically and I had to remove manually in every website every file created and the lines that the virus added.