Every attack is unique and the best thing you can do is to analyze the Apache access log files to find out how the hackers managed to access your site. You can read the following article which I wrote for Smashing magazine:
http://www.smashingmagazine.com/2014/05/30/are-you-prepared-against-a-hack/
It provides information how to prepare for a hack. Here is one more good article about the most common WP security issues (written by Siobhan McKeown)
http://www.smashingmagazine.com/2012/10/09/four-malware-infections-wordpress/