I have a domain name for which I installed wordpress with a bunch of plugins (but didn’t really use it yet). A few days or even weeks I realized the folder has been suffixed with DISABLED_FOR_EXPLOIT__CONTACT_DREAMHOST.

My registrar has also put it on hold poiting to https://zeustracker.abuse.ch/monitor.php?host=mydomain.com
which said something bad but since it has disappeared.

What happened ? Is my site being hacked ? Is it Wordpress which is insecure ?

It’s might be one of the plugins that insecure. Opening a support ticket (i.e. “contact dreamhost”) and see what they tell you.

Perhaps someone compromised your account at the registrar as well if they took action as well.