What a hacker can do with a file is more determined by what access they have to the parent directory. If they have access to and the necessary permissions for the parent directory they can still manipulate a file within that directory even if the file itself has read-only access. For example, you can read the content of the file, delete the file (even though the file itself has read-only permissions) and then create a new file with new contents (based on the original contents that were read) and set the permissions to read-only again. But you couldn’t append (wtite) to the _existing_ file because it doesn’t have write permissions. Slightly confusing you may say but that’s how it is.
You might want to look at the timestamps on the file to see when it is being changed and that may help you correlate it with other activity on the site. You may well have to involve your host support in this.
Probably what you need to do is determine how the hacker is gaining access to the site, e,g, it could be through another compromised site on the same server in which case they are not breaking into your site “through” the site interface but rather through the server itself and that is not really something that any security plugin can protect against.
May not directly resolve your problem but I hope that gives you an idea of how things are not always as straightforward as they may seem as regards file ownership/permissions.
Regards
