Since PHP runs as interpreted code, an intruder can get malicious code to run on a site by altering an existing file or uploading one that contains PHP code. It doesn't have to have a .php extension. Stack
Overflow discusses the many ways of
executing data as code. Some of them, such as include and require, are necessary for the language to work at all. Others, like eval, venture into the dangerous realm of generating code on the fly.
Intruders only need to inject a small amount of code to install a backdoor that lets them run arbitrary code on the server. A simple backdoor can be just
eighteen characters of code. It's a naive hack that will try to run anything anyone submits in a form as PHP. A site with moderately good cybersecurity measures is likely to catch it quickly. But more sophisticated backdoors do essentially the same thing. They just take extra steps to hide themselves. They obfuscate the code and make sure only the people who introduced the backdoor can use it.
A well-disguised backdoor can remain on the server for a long time. Its purpose usually isn't to take the website down or change its content, but to serve as a jumping-off point to attack high-value sites. The criminals who introduced it can use it for a variety of purposes since they can run any kind of PHP code. If they don't overplay their hand, the administrators might not notice it for weeks or months, if ever. It's only when the site gets blacklisted that they notice something is wrong.