The hacker actually managed to change the index.php file and the other page files.
How do they get access? I don't know what the CHMOD is on the root directory because I don't have FTP access to the server (I did, but this is a paranoid client and she changed the password right after I uploaded the site). Can a hacker access and change files if the permissions are set badly?
If it's a shared host, all they need somtimes is one point of weakness, where they can inject a script that will run as the Apache (or whatever web server) user, which will likely have access to many directories/files on the server if it's not well configured. Even worse is if they can crack the login/password for a root user on the host, at which point it would not matter what permissions you had set.
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation