Unless you have the logs from the day it happened, there's probably no way you're going to know how it happened. There's tons of exploits against historical versions of wordpress like 2.5. Here's a few CVEs that might be how they got in:
Do you keep your plugins up to date? There's exploits against them too, that could be the avenue of attack too.
You could spend days looking at CVEs and exploit code but the reason they got in there (assuming it was through wordpress) was through some bug in the code. This bug was probably found several years ago, widely published, and already fixed. There's probably nothing special about your wordpress install, it was probably exploited through some automated tool looking for old versions of wordpress.
Do you keep your plugins up to date? There's exploits against them too, that could be the avenue of attack too.
If you just want to see how someone might exploit some old version of wordpress, just search http://exploit-db.com .
FTP/SSH/Cpanel passwords are quite strong
Do you reuse passwords? Is your FTP password the same for that forum you maybe registered for 3 years ago that stored their passwords in clear text and got hacked? That's another avenue of attack.