Im not asking someone to hack a 3rd partys site

The front page to a site i am an admin on was hacked recently.

The hackers hijacked / renamed the front page index.php file.

Now, in not a tecchie and the tech guy said we needed 644 permissions on the file (from joomla).

Interestingly the hacked file had 644 permissions so we're not quite sure how the site was exploited that permitted the file rename.

Would anyone mind helping me understand where the hole in joomla or the install is so that we can tighten the security up ?