It's possible you misunderstand how these securtiy plugins work. Plugins like Better WP Security, Bulletproof Security (which I'm a bigger fan of) are helper plugins at best. If your FTP password is stolen somehow no plugin can prevent hacker from simply uploading their hacks. So putting all your trust into plugins being a firewall against hackers is like buying a steel front door for your home then believing that will stop a burglar even though you often leave your windows unlocked at night.
That said, it's morel likely hacker hacked your website through some other means, like a stolen admin user/pass or FTP user/pass, or even another plugin.
As far as I'm aware, and I live in the WP hack repair business 24/7, this plugin is just fine and while I don't generally promote it I'm not aware of any other person stating this plugin was used to hack their site. IMHO that's very unlikely.
Links in a text widget though tend to indicate your dashboard admin user/pass was compromised. Recommend checking your account and verifying have just the one admin level account set up, and update your passwords respectively.
Of course, once hacker has your dashboard login, they can edit or delete any file on your website. Editing a security plugin file would be something I would do if I was a hacker (to poke fun at so called security plugins)…