There is a pretty big Wordpress flaw out there at the moment, loads of sites being compromised. We are on 3.9.1 (latest and greatest) and we use extremely complex password on all administrator level accounts.
I have fixed the shopping cart by the way...