One of my friend's website has been hacked. He runs his website on a linux server.

The hacker has managed to overwrite his index.html file only, leaving other files intact. His password consist of 25 characters with alphanumeric and symbols so its not possible to crack his password hypothetically. Even though it was, the hacker would have deleted all his files or could have done more damage to his account.

So, I was wondering if anyone of you have any idea on:

1) How did the hacker replace the index file without knowing the password?

2) What measures can my friend take so that this does not happen in future?

Many thanks in advance.