One of my clients has a rather popular sports site on based on WordPress. The site is up-to-date and running on DV server. A few weeks ago malicious code starting to appear on the site setting off warnings from anti-virus programs that monitor websites.
The best defense is a good file monitoring plugin such as WordPress File Monitor. This plugin monitors the file system for added/deleted/changed files and sends you an email when a change is detected. You can exclude certain folders or files. Still, you will get notification emails when you update plugins or work on a theme. This is a small price to pay for the knowing when a file has been changed by someone else.
WordPress File Monitor will not tell you if you have infected files already. You need to use it to prevent future attacks. If your site is already infected, you can re-install WordPress. Then, replace your plugin files and possibly theme files. If your site is clean now, it’s much easier to keep it that way with WordPress File Monitor.