I've had two clients in the last few months who have reported disturbing activity. One had a whole phishing site hidden deep within her site, and the other had hidden links put into his wordpress footer template file.
In both these cases the person who did the hacking had to have some sort of access. In the first case ftp access was required, in the second it could have happened through either ftp/cpanel or wordpress admin.
In the first case the culprit was a trojan keylogger on the client's computer. I'm waiting to hear back from the second.
I just told him to change ALL his passwords to every damn thing, his site, his wordpress installation, his email, his online banking, his paypal and ebay accounts, etc. Then to run the online scan here:
a-squared Web Malware Scanner - Scan and clean your computer from Trojans, Worms, Dialers, Keyloggers and Spyware/Adware for free! (IE/activex required for scan)
Then, if the box comes up dirty, and I'm having a feeling it will, since I know he's an IE user, I told him to get the box cleaned and then change all passwords AGAIN.
I've also suggested monitoring the urls accessed in stats to check for anomalies.
Keeping your site safe also means keeping your computer safe as well.
If anyone else has any suggestions, I'd appreciate hearing them.