Well, if you're server is running apache then it should already have the following measure preventing that from happening in the httpd.conf file:
Deny from all
Before you edit your .htaccess file, just try to access the .htaccess file using your browser now. There's no way you should be able to do it.
Chances are, the site got hacked because either somebody obtained the username and password (i.e. login credentials) and FTP-ed their own stuff to the server, or they were able to upload malicious code (e.g. a file that contained server side code and could be executed by typing it's name in the browser).