This week I was working on this site as there was an issue with some idiot hacking into the admin area who created an admin account. They had set it up so that there was a meta refresh which re-directed every page to some non-existent domain.
I removed their hacked edits and then installed Admin Secure, which should keep them out no problem, in fact it will ban their IP each time if they go near hacking the admin code.