With that obligatory notice out of the way, this was not the most fun way to spend a Monday night. Unlike the November 2013 hack, which was completely my fault, I'm not entirely sure how this one happened. I've identified Wordpress on another site as the culprit, so I've locked it down until I can pick apart what's going on there.
As far I am currently aware, the only thing that happened as a result of the compromise was a series of obscure files being uploaded to the server (obviously now removed), which triggered the web host's security systems and quarantined the entire directory.
I'll be sure to keep you all updated if I find out more. Meanwhile, business as usual. Keep on doing dragon things.