We've found that the majority of WordPress sites that are infected are due to either the WordPress itself not being updated as well as all plugins.
More often than not, it's the plugins that don't get updated.
It would be nice if WordPress had a "Vulnerable Plugins" list similar to what Joomla has with their "Vulnerable Extensions" list.
The standard .htaccess file that comes with WordPress doesn't protect your plugins all that well.
Your .htaccess file also needs to protect your wp-content folder from outside injections and inclusions.
Hackers know that when you update your WordPress files, you delete the wp-admin and wp-includes folders, then copy those from the updated files, then copy over the root and wp-content folders from the update.
However, they also know that very little gets updated in the wp-content folder. Therefore, the safest place for them (hackers) to hide their malware is somewhere in the wp-content folder. Usually in a theme or some plugin folder.
Rarely do we see where all the plugins have been kept updated.
In the log files for infected sites we see many entries with:
base64_decode(' then a long string
GET querystrings with http:// (then the URL of some hacked/hacker website where they can remotely include a file)
So the .htaccess should prevent any direct access to .php files in the wp-content folder. Only "internal" access to these files should be allowed. Same rule holds true for the wp-includes folder.
Remember that .htaccess controls access for http requests - not internal program requests.
You also need to prevent code from running in any images folders, etc.