before everyone reminds you that you should be consulting an attorney for legal advice, you can't even begin to discuss this without knowing: - the jurisdiction in which the suit would be filed. - the status of your relationship - "client" implies you are a consultant or independent contractor while "employment" implies a lack of autonomy in your actions and decisions. - the contractual obligations you might have.
in any case they would typically have to prove some type of damages due to your negligence or malpractice, for example.
In my terms and conditions I have a disclaimer about hacking. I tell people of the dangers and explain that while itis very unlikely it is a possibility and that we cannot be held responsible for the criminal actions of others.
I think it is extremely doubtful that you can get in trouble for this. That would be a bit like a lockmaker getting charged when someone picks a lock that he had sold.
The company hired you, the company proposed the contract, the company laid out directives for the project (i.e., "Wordpress based site," for example) the company accepted the fees . . . **if** anyone is liable it would be - you got it, the company. :-)
Second don't be so sure it's the programming itself. It's most often a malware that piggy-backs a normal FTP connection, which has nothing to do with the CMS. Until that is determined, there's really nowhere to point the finger.