While surfing the web yesterday, I read one company's story of how there WordPress website had been hacked. Their description contained this:
"To our amazement, we discovered that a common line of malware code had been surreptitiously added to folders throughout our website: our header, our index page, every plug-in folder and our functions."
There is an easy way to prevent this. We do it for every WordPress blog and website we build: There is a free plugin: Wordpress File Monitor. Every 30 minutes (or whatever period you specify) it wakes up and calculates a cryptographic hash for every file on your website. If anything changes it sends you an email. It also detects when files have been added or deleted.
You'll know instantly not only that you've been hacked, you'll also know exactly which files have been tampered with.
There are also commercial firms that do this and much more. The one we like and recommend is Sucuri.net.
Either of these solutions would have saved them a lot of grief.
Every owner of a WordPress website needs to be taking some elementary security measures these days.