I checked my blog this morning and found it had been altered by someone other than me. The index.php page had

echo '<h1>HELLO</h1>';

inserted (in the wrong place so the homepage showed an error).

How could this happen and how can I stop it happening in future?

The thing that worries me most is now they probably have accessed all my passwords etc and more than likely could have done stuff I can't find right now!

What blog software were you using?

A lot of PHP content management, forum, and blogs have serious security problems and are easily hacked. If you really were hacked through your blog its most likely they did not get your Bluehost login.

Using Drupal but it was the index.php code that was altered rather than content which makes me think it was using command line or ftp?

I got my Php Nuke page hacked. They just changed the index. I dont know how people are doing this.

What kind of failure of a hacker puts their code in the wrong place? Anyways, they probably don't actually have your password, the vast majority of 'hackers' use exploits to simply inject things into your pages. Of course if they actually knew PHP that would be dangerous, but luckily scriptkiddies are all mentally retarded.