Unfortunately folks are overlooking the simplicity of the site.
That's why I asked about databases. Not all sites that look simple really are simple. This one probably is. (You "believe" you had a php contact form? Did you or didn't you? Did the hacker add one that wasn't there before, or delete one that you'd forgotten you had?)
Your site itself is probably not the target. But that's like saying that the burglar who broke into your basement apartment really did it to get easier access to the pricey penthouses-- and their pricey contents-- upstairs. You don't care about the penthouses; you just don't want to have to buy a new TV every other week.
To keep them from breaking in again, you have to maintain just as much security as if you did live in one of those attractive penthouses. And if the building owner can't figure out that the person who hacked into your expendable $9.95/month site is now on his way to the $995/month VPS that he really doesn't want to lose ... then it's time to move. Second recap:
What changes have you made so far?
The original post was pretty exactly three days ago. That's time for a lot of things to get done.
what should be added to [the .htaccess file] to provide protection?
A padlock. There is nothing you can put in the htaccess itself that will prevent people from overwriting or editing the file; that's simply not what htaccess does.