This is a very broad question.
But, start by revoking any "write" access to your users, unless they are admin and then try to secure your control panel. Unless that is someone from within, he won't be able to access it. Also, try to see who makes changes, thus "source control" is always a preferred tool in the teams. It gives you information about the user who made a change in the system. You can then catch them, if they are from within your system. Otherwise, ban their IP address.
Hackers usually try to access your website from any input field, if you do not provide them a way, they won't be able to enter. SQL Injection, cross-site forgery or scripting may also be a reason. They may try to enter an invalid field to see if that works, and invalidated data, concatenated SQL commands are very attractive to them.
https://en.wikipedia.org/wiki/SQL_injection[
^]
https://en.wikipedia.org/wiki/Cross-site_scripting[
^]
I recommend that you, at once, contact the system administrator and/or network administrator and ask them to solve this problem.