[codelust]

Common mode of infection I have seen with Wordpress is through site owners downloading premium themes that have been uploaded into file sharing sites by malware authors.

The site owners can't, in most cases, poke around to see what is in the code. And the code often contains hooks that inject various things into the installation.

The other route in is through scripts like TimThumb, which is included in a lot of themes. TT has had some serious security holes in it, the last one being fairly recent that allows for remote file execution. At that point, at least the account hosting the file is a goner.