Dissecting a website attack through a compromised FTP account
Solution 1:
Something twinged as familiar while reading through your post. Then it hit me: I had seen this before, over a month ago, when trying to access a site for a game. See here - same behavior, the redirect action taken just on search engine referrers.
The domain name in your .htaccess
looked familiar because my home computer's antivirus had made loud noises about it to me weeks ago.
And, wouldn't you know it, the host of the site that I'd observed this on? GoDaddy.
I don't think you got brute-forced or had your password compromised through any fault of your own; I think GoDaddy was the one compromised here. And I wouldn't put it past them to store the FTP passwords in plain text. Some more digging found this article suggesting the same; brute force protection may be the least of their issues.
Solution 2:
Easy! Don't use FTP. It transmits the credentials in plain-text and transmits all data in plain-text. It's one of the most insecure ways to transfer files. If your host doesn't support any other ways, find a new host.