There are three main ways a website can be hacked or defaced.
When people think nobody is looking, they are their own worst enemy in terms of passwords.
The above quote is unfortunately true. In the many and various situations we ourselves have seen, passwords range from the traditional password1234 to replacing ‘l3tt3r5 with numb3r5′. Take note, these passwords are beyond trivial to compromise. A script running thousands of iterations per second can guess these passwords without issue.
Ideally your password should be of at least 12 characters of random letters (both cases), numbers and special characters !@Â£$%^&*() (for example).
If your machine is infected with a trojan or virus it’s quite possible that an attacker has installed a keylogger (a program to track what you type). With this information, no matter the strength of the password an attacker has that password.
Server Compromise (Backdoor)
Moreso on shared hosting systems, if you have directories that require lax (chmod) permissions then another site on your server that has been compromised via the above methods can write files into these directories.