It wasn't a backup. It was a web shell. The attacker had named it backup-handler.php and hid it inside a legitimate theme directory.
She requested that file directly:
/var/www/veridianhome/wp-content/themes/legacy-core/inc/backup-handler.php hacktricks wordpress
The repository revealed a developer had hardcoded FTP credentials in a deleted commit. She cloned the exposed repo locally and ran git log -p to find the last legitimate change before the breach.
https://veridianhome.com/.git/config
curl -I https://veridianhome.com
The culprit file: wp-content/themes/legacy-core/functions.php . It wasn't a backup
A 200 OK, but the X-Powered-By header still read PHP/7.2.34 . Ancient. Vulnerable.