Malware

How to find out where the virus is on the hosting and what does it do?

A virus has appeared on the hosting. I found it by accident, uploaded the layout for the client (html, css, js) to a test site on the hosting and saw that there were php files in the folder. At first I thought that maybe some package in npm creates virus files at different intervals during the build, which, out of habit, are copied and sent to the server. I do the assembly with gulp.

Judging by the timing, at 18 o'clock the first stage, at 21 the second stage. It is possible that at 18 I uploaded, but there is nothing in the build (I sent it to the git). A day later, hosting went down with an error of 500 and using 400 MB of RAM.

The virus pretends to be Wordpress files. The hosting has one site on Wordpress, but it has been updated without plugins, I think it is unlikely that this is it. Now I accidentally checked the site through pagespeed, it shows some other site (although in fact the site opens normally)

What could be the misfortune? How to treat it and, most importantly, how to avoid it in the future?

Working machine on MacOS