The three most common hacks and or techniques used in attacking WordPress website are:
1. Brute Force Attack – Using a password list a “bot” is designed to go to your wp-login.php page and simply guess what your username and password are. This creates an issue as your Website will run slower due to the heavy traffic, and your password might be on that list and the hacker will attain administrator access to your website.
2. SQL Injection – Usually a hacker will utilize a 3rd party plugin that has been installed on your Website to gain access to your entire database. Using access to your database the hacker is able to change any passwords, retrieve any emails or usernames and even credit card numbers if you are collecting them on your website.
3. Cross Site Scripting – This method we have noticed occurs when you are using a nulled/pirated copy of a plugin. A malicious code has already been added to a theme and or plugin. The code will auto-execute itself and will for example show p0rn ads, or advertisements targeting a specific product and or website.
These 3 methods seem to be the most popular way your WordPress setup might be compromised.