See: https://asafaweb.com/Scan?Url=tv-spices.co.il
Defacement: http://sitecheck.sucuri.net/results/tv-spices.co.il
File write permission should be checked by hoster, plesk08.smarthosting.co.il.

Revoke write permission, check in the website for the input controls and the validations on that, any page can create without using ftp but with using XSS bypassing the arguments from jscript from any input control

info credits go to krayknot. Defaced because there is a nullscriptable install system!

polonus (volunteer website security analyst and website error-hunter)