Code injection in my core php CMS

hi all,
i have developed CMS in core PHP, everything was working fine untill someone put htacess file in images directory(admin/images), i dont know how htacess file come to these directory and this file locked so i cant delete or update it, because of this hta acces file no images from admin/images directory displays.i want to know how someone can put file in my images directory without having ftp. and how to prevent this ?