It is extremely unlikely that SQL Injection 0-day was used in this attack. WordPress is one of the most insecure PHP projects I have ever audited, and it won a pwnie award for being so insecure. The “WordPress hackers” are a complete joke, they rejected one of my vulnerability reports because they where unable to grasp the simple flaw, they didn’t even bother running my exploit code. (The flaw was patched.)

Using FTP is an extremely bad idea. You are transmitting plain text passwords and source code over the open internet in CLEAR TEXT, you must be completely insane. Use SFTP!!!! I know there is a virus (can’t remember the name…) that is spreading by sniffing network traffic looking for FTP passwords, then it logs in, and modifies .php and .html files it finds. Run an anti-virus on all machines with FTP access to the server, AVG will remove this virus.

I bet that wordpress or one of your plugins has never been updated. Vulnerabilities in plugins are a commonly used to break into web applications. Check all your version numbers of all installed libraries/web apps.

If you want to test your site for SQL Injection then turn display_errors=On in your php.ini and run the Sitewatch free service* or the open source Wapiti. After you patch any vulnerabilities, re run the scan to make sure your patches hold. Then run PhpSecInfo to lock down your php install. Make sure to remove all RED entries from the report.

*I am affiliated with this site/service.