And this is a big reason is why you pay a real sysadmin to do your system administration.
In short, people were installing WordPress badly (friends don't let friends use PHP). They were allowing password authenticated ssh login over the internet. They were doing
chmod 0777 ~apache/html_docs. They were doing other highly unsafe things.
If you can't see the problem with these things, then you need to talk to a professional sysadmin.