From Hoster
"A trojan on your computer has nothing to do with the server being infected - the trojans steal passwords from your computer, then hackers use those legitimate usernames and passwords to upload malicious content to your site. Yes, we have software on the server to detect malicious files which is how we knew your site was compromised and trace it back to stolen username/passwords"
To date, I have yet to see Mac malware that grabs server credentials.
What I do see (all the frikkin' time) is brute-force attacks against servers, looking for passwords for FTP, or WordPress, or Joomla, or other CMS packages. I run security software on my Web servers and I see about 1-2 of these brute-force attacks
per day on most of my sites.
What that means is if you use a weak password, you will, sooner or later, get hacked. It is my belief, based on the patterns of attacks I see on my own servers, and the incidence of malware I see in the wold, that more servers are compromised by brute-force hack attacks than by password-stealing Trojans.
The upshot of all that is Sophos might not have saved you. It's possible your site was hacked simply by means of a brute-force attack. Even passwords that "look" secure (like by scrambling words by filling in numbers in place of letters) aren't necessarily secure...and the little built-in secure password test of many major apps like WordPress isn't actually worth crap. These things may give a high security rating to insecure passwords and vice versa.
So what do you do? Use long passwords. Use long passwords made up of letters, numbers, and punctuation. Use long passwords made up of multiple words and also letters, numbers, and punctuation.
In the day of rainbow tables and distributed brute-force attacks, 8-character or shorter passwords pretty much suck no matter how tricky they look. A password like "How?Now!Purple{{Cow" is far better than a password like "aCv1gh"--the latter will be cracked in no time.
Don't use FTP. It's inherently insecure by design. For one thing, passwords are sent in the clear, so if you're on Wifi, anyone near you can grab your credentials. Use SFTP or something else (like WebDAV).
Update your CMS, if you use one, RELIGIOUSLY. Every time WordPress releases a security update, for instance, hackers go to work reverse-engineering the update looking for the vulnerability that was fixed. This gives you, typically, about a 24-hour margin between the time when the update is released and the time hackers start exploiting it. Update early and update often. If it's been 48 hours since a security update was released, and you haven't installed it yet, assume you have been compromised and act accordingly.
Every major CMS has security hardening plugins and/or auto-updating plugins available. Use them. If you use WordPress, turn on auto updates and install the free WordFence security plugin. If you use more than one WordPress site, install the free InfiniteWP software that lets you manage all of them with one button click and also emails you whenever any of your plugins or your WordPress install itself is out of date. If you use something other than WordPress, find the equivalent tools for it.
This will do far more to protect you than installing Sophos on your computer will.