Not really a WebsiteBaker issue, but it is one of the most seen cause of problems.
A *nix (unix/linux) webserver uses a permissions method a bit different from what most people are used to see in Windows.
Files and directories are owned by a user in the system. All files can have permissions set to read/write/execute by the owner of the file, or by the group a user belongs to or just by everyone.
Users are typically 1) the website and 2) the FTP account.
Depending on the way your website host has setup your webspace these two users can be either the same or 2 different users.
When they are the same, you will have no problems with permissions. This is the case when your host uses fastCGI, suExec or mod_ruid2 to run PHP.
If your PHP is configured as an Apache module the website wil use a different user as the FTP user.
You might have seen these numbers before. They represent the bits set in files and directories for reading, writing and executing.
777 will allow all users to write into a file, or create new files, where 644 (for files) and 755 (for directories) only allows their owners to write or create something.
The problem now is that typically WebsiteBaker will be installed by uploading the installation files to your webserver. The FTP session will create the files and directories so they are all owned by the FTP user.
Whenever you want to install a new module or template using the WebsiteBaker admin installer the website needs to create a new folder in the /modules/ or /templates/ directory.
Unfortunatly the was created by the FTP user, so the website will not be allowed to do this.
The way to overcome this is to set the /modules/ (and templates) directory to 777 so the website can create its own files.
Typically a WebsiteBaker installation sets permissions on new installed files to 644 (and 755 for directories), meaning you cannot modify them using FTP. They may be located in a directory with 777 permissions, but the new directory will have 644/755 permissions owned by the website user.
The only way to reset this is by running a script or let your hosting controlpanel set new permissions for thise files.
If your host has configured your webserver correctly there will be no problems with 777.
Shared hosting servers with many webspaces should be configured in such way any webspace is limited to its own login (FTP) only, and PHP will only be able to reach files and directories configured for that account only.
If you got hacked this is probably done by getting access to your hosting account (FTP or controlpanel) or by getting access to your WebsiteBaker website as a user. Weak passwords, passwords used somewhere else, keyboard sniffers, accessing through public Wifi spots, etc etc are all possible causes why someone could get access to your website.
It really does not matter if you have used 644/755 or 777. The hacker can do the same as you can after he got access.
Just by creating a page with a code block or even creating a droplet a hacker can create or upload a script that can access every file and database linked to that webspace.
Optionally you can have your website run a script on a regular basis to warn you whenever a file is created or modified.
If you need your website to do something more than display text and an occasional image you might need a module to enhanche the CMS's functionality.