As wilku stated, there are multiple ways. One of the most common ways is SQL Injection. Other common causes are XSS and general back-dooring.
SQL Injection
This is where the site takes a user-input, e.g. a search term/phrase, and puts that input into a SQL string to be executed on the server. Without escaping this input, a user could write arbitrary SQL code to get information about your database structure or even contents from a few select inputs. The way to counteract this is to verify user input. If you expect a number, use [man]ctype_digit[/man] to check if any other characters are included. Use [man]mysql_real_escape_string[/man] to escape the SQL special chars included in the user-input.
XSS
XSS, or Cross-site Scripting, is an exploit that I'm not too down on. I believe it's typically a JavaScript exploit that uses JavaScript to execute some random code on your server. You can google on XSS for some good information.
General Back-dooring
All of the above are from the front-end. Of course there are people that will scan ports of all computers out there to see if port 22 is open for SSH, or port 21 for FTP. If one is found, perhaps they'll try a brute-force attack against the "root" user. So make sure your passwords are secure. Also, if you have a section where your username is shown (like a forum or blog) then it's possible to brute-force through weak passwords in the forum or blog to get information about the server (FTP login, user info, etc.). The only way to really prevent this is to use secure passwords. Also, limit the number of attempts per-user in a specified amount of time or a max amount of failed login attempts (3 to 5 is usually a good threshold).
Hope that was helpful. There are other ways. But those three are the most prevalent.
