Your site host may be very sharp and knowledgable about photography, web hosting, and server based software such as wordpress, but that does not necessarily translate into knowledge of OS X.
This means that either the FTP password was easy to guess and was brute forced,
Choosing a weak password, or breaking a password with a brute force attack has absolutely nothing nothing to do with your computer or anything on your computer. However Keychain Access and several third party applications will suggest strong passwords for your use.
… or a computer that had the FTP password stored, or used the FTP account in the past, was hacked and infected with malware/trojan/viruses/keyloggers.
Given there has never been such a malware/virus/
trojan/keylogger identified on a Mac the potentially infected computer would almost certainly have to have been a PC therefore an antivirus solution on your Mac would not have any benefit. The one known trojan for the Mac was a DNS redirector not a keyword thief and it was obviated by an OS X patch that both removed the virus and the vulnerability shortly after its discovery.
There are a lot of known viruses and trojans in the wild that are specifically designed to steal FTP passwords stored in FTP accounts, even if they haven't been used in years.
Antivirus software can only detect known viruses from their
signature or bit pattern and the only known signatures are for Windows PCs
which cannot infect a Mac. Sophos and others do a good job of detecting Windows viruses contained in email or downloaded files on your Mac and can help prevent you from unwittingly passing those viruses along to your PC using friends but little to protect your Mac.
Trojans, true to the implication of their name, require your complicity and trick you into installing them on your Mac and are extremely difficult to differentiate from legitimate software installations. Your best protection is to avoid downloading software from sketchy websites or software aggregators who use their own installer which may include unwanted malware or adware in the package.
