The greatest threat to the site are flooded by an intruder to the server PHP shells - scripts that can run on your server, respectively produce any changes in the files available for writing or can, for example, read the contents of the configuration data and therefore gain direct access to the database
The main feature is that shelves can be filled not in any folder on the server, but only in the folders available for writing on the server.
In folders where you don't need to execute php code, such as /images/ /uploads/ /templates/ etc., then it is better to prohibit PHP file execution in them.
On servers running in CGI, FastCGI, suPHP, DSO (Apache) modes
Create file .htaccess in the folder where you want to prohibit the execution of php code, if this file already exists, add the following code in the beginning
<FilesMatch "\.([Pp][Hh][Pp]|[Cc][Gg][Ii]|[Pp][Ll]|[Ph][Hh][Tt][Mm][Ll])\.?.*">
Order allow,deny
Deny from all
</FilesMatch>
This code prohibits direct access to PHP files located in those folders.
On servers running in mod_PHP mode (DSO - Apache PHP), where directives php_flag, php_value ...
create a .htaccess file in the folder where you want to prohibit the execution of php code, if this file already exists, add the following code in the beginning:
php_flag engine off
This line disables the PHP interpreter when accessing PHP files in these folders and any subfolders. So even if you put files with malicious PHP code in those folders, they become absolutely useless for an intruder, because they simply won't be launched and executed by the server.