Hi
A simple way to make sure that it does not happen again is to follow the installation instructions and move your files folder outside the webroot, meaning that it is not a subdirectory of you OJS installation. Also remember to update your config.inc.php and add the correct path there.
The authors can still upload phtml files, but they can not use them to hack your system, because the files are not accessible.