LoganSix on "A bunch of malware files. How?"

I got a list of malware files from my ISP.
How do they get there?
What can I do to prevent this from happening?

My WordPress site automatically updates.
I haven't given any access beyond the normal access when installing.

/wp-content/themes/creativity-bulb-10/functions.php (known malicious file; matched malware: LONGDEF.PHP.Spam-Links-009N.UNOFFICIAL)
/wp-content/themes/creativity-bulb-10/images/img6_new.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-24.UNOFFICIAL)
/wp-content/themes/creativity-bulb-10/comments_prevv1.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-24.UNOFFICIAL)
/wp-content/themes/index_ver1.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-24.UNOFFICIAL)
/wp-admin/maint/repair_backup.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL)
/wp-admin/css/colors/light/colors-rtl_prevv1.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL)
/wp-admin/css/colors/ocean/colors-rtl_ver1.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL)
/wp-admin/css/colors/blue/colors.min_backup.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL)
/wp-admin/css/colors/sunrise/colors_old.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL)
/wp-admin/css/colors/coffee/colors_infoold.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL)
/wp-admin/user/user-edit_noversion.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL)
/wp-admin/credits_indesit.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL)
/wp-admin/network/users_infoold.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL)
/wp-admin/images/resize-rtl-2x_infoold.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-23.UNOFFICIAL)
/wp-includes/SimplePie/Restriction_infoold.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-22.UNOFFICIAL)
/wp-includes/Text/Diff/Renderer_backup.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-22.UNOFFICIAL)
/wp-includes/Text/Diff/Engine/shell_infoold.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-22.UNOFFICIAL)
/wp-includes/fonts/dashicons_backup.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-22.UNOFFICIAL)
/wp-includes/js/mediaelement/wp-playlist_indesit.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-22.UNOFFICIAL)
/wp-includes/js/swfupload/plugins/swfupload.speed_noversion.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-22.UNOFFICIAL)
/wp-includes/js/swfupload/swfupload_bck_old.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-22.UNOFFICIAL)
/wp-includes/js/tinymce/plugins/directionality/plugin_infoold.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-22.UNOFFICIAL)
/wp-includes/js/tinymce/plugins/image/plugin_noversion.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-22.UNOFFICIAL)
/wp-includes/js/tinymce/skins/wordpress/images/playlist-video_new.php (known malicious file; matched malware: JCDEF.Obfus.CreateFunc.BackDoorEval-22.UNOFFICIAL)