Anscheinend über manipulierte PHP-Dateien.
It's hard to say for sure how this was done, but in this site there were two known security vulnerabilities:
- admin user was still in use (you should delete/rename the admin user).
- Outdated plugins and core
Source