.htaccess and paste the following code in there
<Files *.php> deny from all </Files>
Now upload this file in your /wp-content/uploads/ folder. You should also upload it in your /wp-includes/ folder.
Code Explanation: This code checks for any PHP file and denies access to it.
This article is in response to one of the Quora questions, a user asked if it was possible to harden your site’s security with .htaccess file. One of the tips we mentioned was disabling PHP execution in the uploads directory.
Note: This is not a FIX for a hack. This is just a security hardening tip.
If you are conscious about your WordPress security, then we suggest you purchase Sucuri Monitoring service. Here are 5 reasons why we are using Sucuri on our websites. The cost comes down to roughly ~$3 per month per website granted that you get a 5 website package.