unauthorized applications installed into /public_html

Does any one know about the following types of occurrences?

I signed up for WEBSITEDEFENDER and was alerted with this

New applications were detected in the following directories on your web server.
A new instance of WordPress was detected in /home/wendyhub/public_html

WEBSITEDEFENDER gave this answer for a solution:

You should investigate the origin of this new application. If it was installed without authorization then it could indicate a malicious intrusion.

I looked and found this, “d4564dc9e9625dfe9fa06df71fcfc17b85d3e56a.php,” file in /public_html which looks malicious. I deleted it yesterday. All is working onsite except I am still getting spammed even using my (CCF) Custom Contact Form using capcha text.

I installed custom contact form (free) yesterday and today received 3 spam messages. Do you think malware has integrated into my site?
What can you tell me about this?
Do you think the php file is the application referenced here by WEBSITEDEFENDER?

Any help is appreciated.