NOTE: The below is just a general information which probably doesn't cover half of the subject, there are tons of things you need to make sure of but the below should give you a rough idea.

Can a hacker access my website's .htaccess file?

Yes, some scenarios this could happen:

• If you configure wrong your httpd.conf allowing people to visite .ht* pages which is by default forbidden on the httpd.conf
• If your server is meant for hosting and you or your users don't properly apply permission to their files so they are accessible within other accounts.
• If your webserver don't deploy user and group protection to accounts
• If accounts are not rooted to their folders.

And if so, can they edit it?

Yes and no, just accessing the file from a browser will not grant them access to edit it, however in some cases it may be possible for instance:

• If one of your codes PHP, perl, etc have vulnerabilities then yes it may be possible
• As mentioned early if your websever does not deploy per account user and group then others account will have access to the files from another account
• If the permission set on the .htaccess file is for instance 777 which allows ANYONE to manipulate that file it will be editable and readable from others account.

Can a hacker get my SSH root password even if the SSH password is 18+ characters long?

Brute force is not the only way to grab someone's password, if your computer has been compromised, if your services are not up to date with the newest exploits and more, it's also possible to get your password.

The most common way to protect against this would be to make your SSH password-less, basically you will deny direct access to root, block any access using password and will only grant access to authorized keys that are generated from a pair of keys.

This key would allow you access to a pre-defined account that have that key allowed to be logged as.

From that account you've logged as, you can either use sudo to run commands as root or su - to switch the current account to root.

Change the SSH port to some other port.

Use your firewall to prevent and catch brute force attempts on certain ports and block it.

Use your firewall to allow only your IP to access the server if your IP is static.

Use your firewall to block access to unused ports of service that do not require external access for example if you do not offer MySQL remote access you can block access to the port 3306 as well as configuring your MySQL server to bind on the localhost only.

Can a hacker get my FTP username and password even if the FTP password is 18+ characters long?

Brute force is not the only way to grab someone's password, if your computer has been compromised, if your services are not up to date with the newest exploits and more, it's also possible to get your password.

Is SSH more secure than FTP?

They are different protocols and serve to different purpose and they can be equality insecure or equality secure it all depends on the System Administrator to keep it up to date and secure.