Insecure server. if it's the host move away as they're obviously using outdated software with known issues. Could also have been the company that manages the site if they haven't kept WordPress up to date.
Either way it's nothing personal. Scan around for servers with known vulnerabilities and take them over, just so happens one of those was hosting a rugby site.
Best option would have been to start with a fresh OS image, never trust a server that has been compromised & always expect the worst case scenario. Easier to do that than leave something behind that gives them access again.