Always follow up with some basic security checks!

Figuring out how the rats are getting into the barn is always tough (my apologies to rats for the comparison). Most hosting services will help by checking access logs, looking at file ownership etc. so ask your hosting service for any information they can provide.

The most common thing I see is hackers exploit vulnerabilities in older versions of software. Make sure all your software, CMS/themes/plugins is up to date, the latest versions, patches etc. Never leave any inactive files -- plugins/themes old versions, etc. on your site. With a WP site scan through this article -- Hardening_WordPress.

I also see a lot of compromised passwords. Start by doing a scan of your PC and make sure there are no Trojans/viruses capturing your ids/passwords, use a couple of different security packages. There are several free anti-virus packages available but the paid versions are certainly worth the investment! Change ALL passwords especially FTP. Never store/save your passwords in your FTP client, use secure FTP if available. Install a good anti-virus program and do regular scans of your computer. You hosting service may be able to help you pin it down, if you notify when you see any changes they could check the access logs and maybe determine the account being used when the files are modified. With a WordPress site you need to change your Security / Secret Keys.

I also see problems with file/folder permissions. The hackers get access to a site and open the file permissions up on a folder/file so they can continue to get access even if you change passwords etc. You'll see different views on what permissions should be I go with Files set to 644 Folders set to 755. It is a good idea to regularly check file/folder permissions.

I also see hackers leave a backdoor on a site. This is usually a php file hidden away somewhere with system files, /cgi-bin/ used to be a popular place. This will be a php file that is not part of your site and it will contain a bunch of base64_encoded stuff. You would see lines of php code that start out eval(base64_decode(' or eval(gzinflate(base64_decode(' or eval(gzuncompress(base64_decode(' followed by a long string of seemingly random characters. There is a article with some tips on how to locate a backdoor on a site at Finding a a "backdoor" on your website.