WordPress hacked, but how.

Could be a file permissions issue or vulnerability with that theme, could be the webhost, etc. Could be FTP password, if it was weak and there was password grabbing malware on your PC.

Work your way through these resources and follow all instructions to completely clean your site or you may be hacked again. See FAQ: My site was hacked ? WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress ? WordPress Codex.

Change all passwords. Scan your own PC. Use https://sitecheck.sucuri.net/ before and after.

Tell your web host you got hacked; and consider changing to a more secure host: Recommended WordPress Web Hosting

If you can’t do the work yourself, consider looking for a reputable person on freelancing sites such as Elance. (FYI, it’s not a good idea to respond to unsolicited emails from forum users offering to work for you.)

Hello. I lived the same things several times. What a pity that yes, it may happen unless you get more security steps.

* change your ftp and wordpress admin panel passwords
* scan your computer with anti-virüs and anti-spyware softwares.
* use the last version of WordPress, theme and plugins.
* use the last version of Filezilla and do not save ftp passwords on Filezilla.
* you may think about changing your hosting provider.
* And finally and the most important do use a security plugin.

[Email address redacted]