Your scripts should not be accessible at all using HTTP, that's the first thing. And only the database file(s) should be writable. If your site is getting hacked, change all of your passwords, stop using FTP and HTTP for uploading (use SFTP instead), and have a long talk with your hosting provider about the security of their servers.

Be on the lookout for SQL injection exploits, which have flared up recently; Your scripts should not look for
'problematic requests' and reject them. Rather, the scripts should look only for completely-acceptable requests, and accept only those.

It may be a subtle distinction, but the idea is, don't try to guess what you want to reject. Instead, decide up-front what you are willing to accept, and reject everything else. Getting this idea wrong is the most common error made by programmers new to the requirements of secure computing -- They are always, as the saying goes, "Closing the barn door after the horse has already run away."

Jim

If your scripts are "always" getting modified, it's not due to 644 vs 444. Even 644 only allows you the owner to write files.

In addition to the other suggestions, guard against "remote file inclusion". That's the most common way that site files get modified. The scenario:

Your script accepts data in URL query strings. Someone requests one of your files but passes a malicious URL in the query string. Your script includes a file that is passed by query string. It fails to test whether the query string is a reference to a remote site. Your script, using "include", pulls the referenced malicious file (hosted on a remote server) into itself, where it become part of your script. It runs. It rewrites all the index files in your site, or any other files it wants. It has the full run of your site.

Next time files get modified, note the timestamps on the modified files. Then examine your access logs for who was requesting what at that time.

Thanks a lot guys for the reply. I`m just really pissed-off with the recent hacker/s attack in my website.