It is extremely unlikely that SQL Injection 0-day was used in this attack. Wordpress is one of the most insecure PHP projects I've ever tested, and it won the pwnie award for being so insecure. Wordpress Hackers are a complete joke, they rejected one of my vulnerability reports because they couldn’t understand a simple flaw, they didn’t even bother to run my exploit code. (The bug has been fixed.)
Using FTP is an extremely bad idea. You pass simple text passwords and source code over open Internet to CLEAR TEXT, you must be absolutely insane. Use SFTP !!!! I know that there is a virus (I don’t remember the name ...) that spreads by sniffing network traffic looking for FTP passwords, then it logs in and modifies the .php and .html files it finds. Run antivirus on all computers with FTP access to the server, AVG will remove this virus.
I am sure that wordpress or one of your plugins has never been updated. Vulnerabilities in plugins are commonly used to hack web applications. Check all version numbers of all installed libraries / web applications.
If you want to test your site for SQL Injection, then move display_errors=On in php.ini and run the free Sitewatch * service or open source Wapiti . After fixing any vulnerabilities, re-run the check to make sure that your fixes are saved. Then run PhpSecInfo to block php installation. Be sure to remove all RED entries from the report.
* I am associated with this site / service.