One of the challenges with shared hosting is that if they can get enough privileges then potentially all sites on the server can be hit!
What version of WordPress are you all running? and are you using Contact Form 7?
My client (also 123 hosted) was running 2.9.2.
Most of these attacks happen through plugin vulnerabilities.
I’ve just installed WordPress Firewall to hopefully block future injection attacks.
Andy
