Попали на 99% через кривые WP плагины.
>Как больше этого не допустить?
Не использовать вордпресс или на крайний случай его плагины.

The same story happened with reg.ru. I do not know what to do. I am inclined to believe that the problem was precisely in the local elevation of rights on the entire hosting, and they hacked not through me, but through another site (where the old wp could well have been). But there cannot be 100% certainty here, I looked at the Apache logs, but I didn’t find anything very unusual (I’m certainly not an expert). Maybe you can come up with something useful.

If the web server (Apache, nginx,...) has rights to the root directory or to one of its directories, then they could find a vulnerability in the scripts and "apply" the necessary files. The classic is .... I
recommend walking for example Manul'om from Yandex to search for vulnerabilities.

try the plugin Anti-Malware Security and Brute-Force Firewall

How to prevent this from happening again?

"Wordpress - всегда хорошо" (с)
любитель шеллов