I received this reply from iPage. They didn't answer my question as to whether the infection could have come via files in a shared environment:
"Thanks for contacting support. I sincerely apologize for any confusion this issue may be causing you.
After checking a few files on your account, I would like to show you an example of malware injected into your files. Please take a look at the code within the file located at '/wp-content/themes/expound/functions.php'. The first 25-30 lines of the file you'll see a big box of what appears to be gibberish within a <php> tag. This is what is known as "Base64 Malware". I located this type of malware in all above mentioned 'functions.php' files, so I assure you that the malware examples on your account are in fact legitimate. I'd also like to assure you that the antivirus application that we use for malware definitions/diagnosis is a trusted industry source.
Generally code injection into files is achieved through security vulnerabilities in Wordpress core files, plugins, and themes. It is imperative that you keep your website files for Wordpress up to date at all times to avoid exposing these vulnerabilities to hackers. For more information about how to proceed after a Wordpress hack, see the below documentation from Wordpress Codex:http://codex.wordpress.org/FAQ_My_site_was_hacked
If you'd prefer to get assistance with the cleaning of your site files, you can also purchase the Sitelock add-on to automatically fix infected site files. For more information on Sitelock see the link below:https://secure.ipage.com/product/sitelock/
Please let us know if you have any further questions. Thanks!"