Solution:
It’s tricky to handle this. One of the common ways this happens is that on a shared server a malicious user can use another account and insert a file in your upload directory (which is often world writeable on shared servers) by going down and back up the filesystem. It’s not really an issue of passwords being cracked. Things you can do:
- Use a private/virtual server- just not the standard shared type with more than one user in the same filesytem
- Keep WordPress updated
- Check all your theme and plugins for online notices of vulnerabilities. A big one is that many themes use timthumb.php for image resize which had a big security hole last year. You can continue using it but make sure to replace it with the current version.
For hosting I highly recommend using something such as http://WPEngine.com as you will not only get a private experience but they will also be more top of security scans than standard hosting companies.
Also if your site has been hacked you must be very very careful to remove all backdoors – I recommend doing a clean install which is obviously tough since you have to put your theme back and that can contain backdoors as well. Malicious users will create multiple backdoors in case one gets taken down. There are a few scripts online that will scan for these but none that is perfect. Making a cleab install, then backing it up offline in case of a hack is a good option.