I know quite a bit about this subject.

One they wouldnt bother unless it was an easily compromised "hack" or security hole.

Something not necessarily WP wasnt up to date because "hackers" dont just spend countless hours trying to compromise a site. They go after easy targets. Usually this type of stuff is a patch that just was not implemented. It could be on the server level I dont know where the leak is but thats most likely the case.

Two I would hope that is the case because they are not necessarily targeting just your site. Most likely they are sniffing out sites near them that might all have the same hole. If this is not the case then you might be looking at a whole other set of issues.

Thirdly they really arent trying to trash you personally they are exploiting a known security gap. Unfortunately there is no real cure for this. Anyone who has a lot of bandwith is a target because you have a lot of bandwith. It might not have even been a targeted attack and might have well been an attack that was sent out in the form of a worm or virus. Again I dont know but most likely they did not attack you personally it just seems that way.

Fourth Unfortunately since you are not a software developer you cant really do much about this except hope your host has preventive measures. The best thing you can hope for is that either they dont do it again, or you have a solid backup, or whoever owns the software you use removes the security leak or patches it.

Fifth Most likely this attack is quite old and is well known. Very few attackers are on the up and up when it comes to these sorts of attacks. They merely exploit people who dont update their software ( again I know you say WP is up to date but I dont think this has anything to do with WP itself) or just plain dont know any better. There is no cure to this problem unless you are entirely proactive and are a security expert. The only thing you can do is make sure you have a good backup and store that in a safe place and make sure your backup is always up to date.

I realize this is no solution other than making sure you backup but I am just trying to say how this type of this is usually performed and why. There is a lot of money in compromising peoples security.

Just thank god they didnt backdoor your computers. You would not want your pc a part of a botnet. You can wiki that if you want.. but trust me you are lucky. There are much worse things.

Here is something to back up what I am saying.

I googled word press and back door.

http://www.webappsec.org/projects/whid/list_id_2007-08.shtml

http://www.sitepoint.com/blogs/2007/03/07/news-wire-cracker-adds-backdoor-to-wordpress/

That attack was in 2007 and you can see by reading that the software itself was compromised. Once software becomes populare it makes it a target.

wordpress backdoor 2008

http://newsworldwide.wordpress.com/2008/05/02/microsoft-discloses-government-backdoor-on-windows-operating-systems/  << thats just plain scary

http://www.keithgoodrum.com/can-somebody-drive-a-truck-through-the-back-door-of-your-wordpress-blog/ 

That one above there might add some insight into this. It really is about knowing security. I cant claim I am a WP expert I dont know anything about it. But in general terms.. be careful what you are doing out there.

Actually that last link I think describes what most likely happened to you.

5. Protect your wp-admin folder - This folder has some php files that are vulnerable. Just like the folders above you don't want anyone gaining access to this folder. There is a plugin called AskApache Password Protect. It adds a 2nd layer of security to your blog by requiring a username and password to access anything in the /wp-admin/ folder. You can get the plugin here: http://wordpress.org/extend/plugins/askapache-password-protect/#post-2892

6. Consider changing your login username - By default the username for the administrator is admin. If you are worried that someone might be able to crack your password, then changing the administrator username could stop them

I bet this is it.