I experienced a hack of the header.php file that resulted in an inserted iframe that contained Search Results Clicking fraud (the inserted code simulates a click on search results links, giving the hacker "click income").
I believe the attack vector was on a local computer that had a 'drive-by' insertion of some java exploit. I do keep my system quite current on patches, so can't verify the attack vector.
But I believe that, once the exploit got into my system, it used my FTP credentials to upload a changed header.php file to a WP site's active theme folder. And the reason that was successful is because I was using FileZilla as my FTP client.
FileZilla stores FTP credentials (site/user/password) in an easily accessable plain text file. These credentials are not encrypted. And this easily accessable exploit of the FileZilla FTP credentials doesn't seem to be any concern to the FileZilla developers.
So, my warning to others: do not use FileZilla as your FTP client. Uninstall, then manually remove the settings file (not removed by the uninstall, look in your %APPDATA% folder).
Then change all your FTP site credentials. And then use a different FTP client program. I recommend WinSCP, which has an optional 'master' password that will encrypt your FTP credentials.
IMHO: do not use FileZilla if you enable it's 'save password' feature. Your sites will most likely be compromised.
...Rick...