Check for any log available, if you are using Apache server check for acces.log and error.log, then search and check for any uploaded file/image. In order to limit defacements you have to sanitize data, any POST, GET, COOKIE, PUT request: you have to check if you are receving the expected kind of data especially for those variables which will print the input in the pages.
Keep in mind: if you have a form from where a user can upload images or files, do you check the mime (and the sizes regarding the image)? If no, then it's simple to upload a script and replace the pages.
Oh and something that is commonly overlooked... Reformat the machine you're ftp'ing your files from. Sometimes it's the host machine that is the issue as there are spyware programs logging your keystrokes and broadcasting your ftp passwords etc over the internet.