It won't have happened via ssh. It would most probably have been via the wordpress site you mentioned, since you saw things happening there.
PHP (and Perl) allows you to do all sorts of things, including running shell commands, unless they are locked down. A total guess would be that they ran some sort of shell script (which automates gaining of an effective shell) or other nasty script. Typically it would only have allowed access to whatever apache (or whatever user it might be if the site was running in php_fastcgi mode) would be able to access. But one mistake somewhere, or one vulnerable program, or a vulnerable kernel, could potentially allow them to gain root access.
There's bound to be some details on Google with a blow-by-blow account of how these things work.
Getting copies of your current authorized_keys is of no consequence. These are your (and potentially parallels') public keys and having access to them has no (that I know of) security consequences. But since the bad guy changed them to HIS (I assume this is what happened from what you said?), then it may have been part of what his exploit kit automatically did. But since there was no SSH access to the Container (blocked by the firewall) then it would not have benefited him.
This is probably a script kiddy or an automated bot, doing everything it can to take control. In theory it should do so in a way that you would not notice, so replacing your keys, as opposed to adding his, seems odd.
So, I'd say the key thing is to disinfect the Container, ideally change all system and Plesk/FTP/Email passwords because you have to assume if they got root access (IF they did) then they copied the databases.
If you can figure out what they actually did then that's great, and will allow you to narrow down what you have to do or at least what you have to worry about. But with only your partial log of what he did, most of it will be guess-work.
rkhunter running daily would be a good thing if it isn't doing so already (but you need to tell it when YOU change or update binaries as otherwise it can give you false positives), as it would alert you to changes in important system files and configurations. ASL 4 does something similar but mostly configuration files. Actually ASL does so many things that I've lost track so you may be able to find some interesting things about this compromise through ASL. I really must look into everything it does in more detail.
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.