Anti-spam conditions disappear from mailer PHP files while contact form is being simultaneously attacked by spammers.
This is the second time in a week this has happened. Lines of spam-preventing code just get removed from my PHP file (nothing gets added). I have contacted the server people but they said it's not their problem and something is wrong with PHP itself.
What are the best steps to take to make sure this doesn't happen? Are there any htaccess or ftp security settings I could make use of?
It could be possible that you're simply overwriting your files with versions that don't have the tags in them. Double-check that your plugins and upload scripts don't have permission to overwrite these files without your permission.
If you are worried about your security though, the most common forms of injection of files is through image uploads and forums. Ensure that if you are using any database connections, that you use either MySQLi or PDO, and remember to use parameterised queries!
While you could make a few FTP or .htaccess rules, they aren't really going to stop any potential hackers. The best thing you can do is to make sure you don't have any security vulnerabilities that can be exploited.
If you're running WordPress, run your site through WPScans to make sure there are no vulnerable plugins that you're using (there's literally thousands of vulnerable plugins).
For further reading on security vulnerabilities and how to address them, I recommend checking out the OWASP Top 10 cheat sheet.
Hope this helps! :)