The most common reasons for a hacked (defaced) website include:
– Outdated web application. Every popular web application (Joomla, WordPress, PhpBB…) has had security problems and that’s why you have to use always the latest version.
– Outdated web application extension. If you have installed any third party extensions, you have to keep them up-to-date just as you keep your main web application. Very often users neglect this fact and outdated extensions become easily exploited by intruders.
– Weak user / administrator passwords. You must ensure that all users have strong passwords, especially the admin and the ones who can create content to your site.
– Infected local computer – some computer viruses/worms are known to steal FTP logins and after that add malicious code to web files. For this reason make sure to have an updated antivirus software and scan your computer for viruses regularly.
– Insecure Environment. Generally this is the least probable scenario. However, there are still web hosts which cannot properly isolate users from one another on a shared server. Other hosts cannot find the correct balance between security and usability in order to protect web sites without making them unusable.