There is a long comment thread on mezzoblue discussing what seems to be a pattern of website hacking. There doesn't seem to be any consensus on what's causing the problem. Maybe WordPress, maybe other bad PHP code, maybe the host systems being hacked. All I know is, I don't trust PHP apps, and at this point, I don't run public servers without a really good reason. The Moodle code must be pretty well written and audited, because that's one important PHP app I don't hear problems about.
Later... Aha. The problem was Dreamhost getting hacked.