WoW scripts cannot log key strokes or otherwise get access to your password (they are not loaded until after login). BUT any mod that has an installer can install whatever they want during that time. Best bet is to never install any mod that requires an installer.
You should be on a USER account, not an administrator account; that way it will have to pop up to make system changes. Typically things like key loggers would have to make changes at the system level.
If you play across WiFi, there is a possibility of someone sniffing your WiFi traffic looking for the login information. But that means that they have to be physically near you. Someone, in theory, could be watching internet traffic going to the Blizzard servers and pulling passwords from there.
Personally, if you don't have the Blizzard authenticator, or the iPhone app, then you will ALWAYS be at risk. I highly recommend getting one if you don't want to be hacked; it is worth the extra hassle.
Many hacking attempts come from fishing. They have some site somewhere that looks promising to you and then after you give them your user name and password they will use that to get into your WoW account. Sometimes just taking your password as a template and trying variations on it.
Your character names should be, in no way, associated with your account name.
Someone could also hack an account if they know account names and just trying passwords via password lists. There are some very good password lists out there.
Be careful, be cautious, and you should never use the same password on more then one site; especially for things that are important like your wow account, bank account, and others.