You’re running WordPress, so here’s the most frustrating thing about it when you’re hacked: If you don’t clean up every last inch of it right, those Damn Dirty Hackers come back over and over again.
Generally speaking, they get in because of a vulnerability in one of your themes or plugins, OR they’ve got your password. DH servers are pretty secure and so is core WordPress (nothing is 100% in life, it’s a moving target and we’re constantly working to make WP and DH tougher). The problem with plugins and themes is they’re not as rigorously peer reviewed. Speaking as a plugin review volunteer for WordPress.org, most of the insecurities are never reported
I’ve been maintaining this wiki page for how to clean up a WP hack: http://wiki.dreamhost.com/WordPress_Hacks
The tl;dr is that you’re going to delete all the WP files except for your uploaded content and your config file, change your passwords, THEN reinstall all the files. I would recommend reading the page if you’ve never tried that before, but it is exactly the steps I go through when I clean up someone’s hacked site.