1. Don't use shared hosting. Use a dedicated server
2. Make sure WP is always upto date.
3. Install WP plugins such as

Website Defender
Exploit Scanner
Login LockDown
Secure Wordpress
TAC (Theme Authenticity Checker)
User Locker

4. Follow twitter accounts and blogs such as [blog.sucuri.net...]
5. Make sure your PC is fully protected and regularly updated.

Shared Hosts vary in their level of security. Some are definitely better than others. I assume your install of WP was up to date and that you had secure salts?

Straight from the creator: Hardening WordPress [codex.wordpress.org...]

I wouldn't chock it up to mySQL, I'd chock it up to Wordpress. A good indicator would be, if you'd tried it, to just re-upload your local Wordpress files - that **usually** fixes it, especially if you don't find anything injected in the database.

The ones I've seen always involve the main page and always involve modification of files, not database content (doesn't mean other forms don't exist, but that's what I've seen.)

In addition to all of the above,

1. Also ensure all WP plug-ins are up to date.

2. Ensure your passwords for FTP/control panel, WP admin, MySQL are all different from each other and are all strong ones like ?:YC'^>s9m)E or DL2tF4bVsI7qW3.

3. If your control panel provides the option, check to ensure that MySQL connections are not allowed from outside the server (that is, no external connectivity).

4. If you use the TimThumb WP plug-in, do a web search on the vulnerability that was recently found in it, and install the updated version.

5. If your server uses suPHP (if it does, a file created by PHP will be shown as owned by your userID), you can protect the file containing your database info (wp-config.php) from being read by any other user on the same server, by setting its permissions to 0600. If you don't use suPHP (in this case, files created by PHP are shown as owned by "nobody" or "wwwdata" or anyone other than your userID), then you cannot use this method; don't change the permissions.

6. If your server provides SSH access but you don't use it, turn it off in control panel or WHM if there's a place provided for you to do that.

@rocknbill

But the hackers could have come in from another website - it's not clear how they got in. WordPress (an any CMS) are vulnerable if they are not tightened down and kept up to date. Heck, the same is true for Apache and MySQL updates. :)

as well as the user_name in My SQL database

They changed the name of your MySQL user? That seems very strange.

Make sure that the user/password combination that you use for your WordPress MySQL database is not the same as your cpanel userID/password combination.