According to the folks at WordFence, the worst malware threat out there for WordPress sites comes from a series of sites hawking free versions of premium (paid) plugins and themes. Here’s their basic modus operandi:
They offer compromised plugins and themes for free to unsuspecting webmaster who think they’re getting a great deal.
Those plugins/themes then insert backlinks and otherwise promote the source sites of the hacked goods, improving their search engine ranking and thus increasing their likelihood of being found and guaranteeing a continuous stream of victims.
They immediately insert malicious code into any other themes the site has available, so even if the pirated theme isn’t in use, the active theme gets infected.
So now they have a self-generating network of infected sites, and they use them to run malware ads (their income source).
WordPress site owners should keep in mind that when something is free, then “you’re the product” — in this case, your site, which has now been corralled into a cybercrime operation.
See also the original WordFence report.