You need to speak to your site HOST as php or sql injection is something that they should be aware of and taking steps to prevent it. As far as PHP goes older versions of the software have vulnerabilities which are being exploited.
Change your site passwords to something a little stronger to see if that helps and seek help from your HOST provider, ensuring they have the latest versions of PHP/SQL, etc...
Obviously once exploited your site would become a soft target, so at the very least you need strong passwords and change the chmod permissions for pages so they aren't able to modified by other than the owner.