These files (circled in red) were added by some hacker, and have been just sitting the web server, alongside the other Wordpress 'core' files. This overall concept applies to Joomla and Drupal sites, too, not just Wordpress. This is because they all run on the same type of server & hosting environment: Linux, Apache, MySQL, PHP.
At some point, the hacker can come back and actually start exploiting the site - either by defacing it, adding hidden landing pages (used in phishing attacks), or redirecting your traffic to ad-sites. And they could have done this at any time since 2018!
Your site was already hacked?
Even if you install the latest Wordpress updates and patch all of the plugins, those hacked files are still going to be sitting there on the server, meaning a hacker could still stumble across them and hijack the site.
If your site has been hacked and you're looking for someone to take over the ongoing maintenance, we are now offering service plans:
Most small sites are covered by our 2 hours Per Month maintenance plan. Larger, complex sites sites may require additional time. Contact us today if you're not sure which plan applies to your site and would like a no obligation quote.