A hacker now managed twice to change the admin user password of my WordPress blog. In both cases I received an email from my WordPress installation that someone requested that the password be reset for the admin account.
The actual culprit was a bug in the Leaflet Maps Marker plugin: http://1337day.com/exploits/18944
If you have something similar, search in your Apache log files for password resets to see where the problem is. For example with
grep wp-login.php?action=rp /var/log/apache2/*
grep lostpassword /var/log/apache2/*
By the way, disabling a WordPress plugin does not prevent your site from being hacked. If you have an insecure plugin, delete it!
Use WordPress plugins sparely and check the exploit database at http://1337day.com/ for security issues.