On the off chance that the web host could find something I emailed support.
They were doing my support request, plus they sent me this advice.
I have scanned your account and I was unable to find any malicious code from your website files. Also, please change the password of your account/FTP to strong value and remove unwanted FTP users if any exists.
In order to prevent the hackers attack in the future, you will have to ensure that:
1. Generate a strong password combination for account, ftp, and database.
2. Scan local computer with good antivirus, antispyware programs and clean bad programs.
3. Keep the software up-to-date with vendors/developers, and seek their support/forums for any known vulnerabilities/fixes/workarounds available.
4. Do not assign 777 permissions to any of the files or folders as it makes them world writable and could lead to such issues.
5. Remove any unneeded folders, files and if you are running any web application like Joomla, WordPress, osCommerce, Moodle.. etc keep them up-to-date with latest stable version.
This can happen for various reasons like:
1. Poor/compromised account/FTP password, which allows hackers to guess the password [or use brutforce tools] and get unauthorized access.
2. Your computer infected by viruses, which is controlled by hackers. In this situation, your uploaded files also get infected.
3. Poor scripts, which allow hackers to insert various malformed queries and remotely execute the code and perform intended action.
4. Virus effected theme selection for the application.
5. Installing application which are downloaded form third party sites; mainly not genuine sites.
This advice is better than what I got from a different host on a previous hack, which was ‘delete all your files and reinstall from your backup’. It turned out all I had to do was delete about 5 wp files and upload new ones.