Thanks Joe:
To clarify my isp is ATT, they are not involved.
Who I meant is my web hoster: the one who host my wordpress blog. Something bad happened with the blog, I think I could not log in. And they sent me that email. The implication was I was at fault. They solved the situation, created a nice new long password, and then insisted I get the AV.
But they were wrong? My computer having an AV would not have prevented what happened?
Correct.
You set up a WordPress blog. Someone got into it. There are three ways that people hack into WordPress blogs:
1. When you created the WordPress blog you did not choose a good password. They figured out the password.
2. You did not do security updates on the Wordpress blog.
3. Your Windows PC got infected with a Trojan.
You do not have a Windows PC, so that means (3) is not what happened. That leaves either 1 or 2.
They said the hackers used FTP to get in. That rules out (2). That leaves only one possibility: you did not choose a good password, so the hackers figured it out.
Note that this is not the password on your computer; it's the password you set up WordPress with.