Be sure to tell the client that deleting the .htaccess file is not going to make one bit of difference. It's not the problem, it's just the symptom. Someone is getting access to your server files. Altering .htaccess is just the thing they choose to do once they get in. They could delete the whole site if they want. Don't focus on .htaccess. Find the security hole.