You can improve security by preventing the execution of PHP programs in the upload folder of WordPress uploaded images and other folders that contain only static files outside of WordPress.
Stop PHP program execution in any folder
WordPress runs on PHP programs. If a site is vulnerable and some malicious PHP code is embedded, hackers can freely access and use the files.
Another hacker may also be able to access the path of the often-embedded malware at will and launch a further hack.
In these cases, stopping the execution of the PHP program in the upload folder, which does not need to contain the WordPress PHP program, or any other folder that only contains other static files, will improve security.
Create an .htaccess file to prohibit the execution of PHP
Make the following entry in a text editor and save it under the name .htaccess.
*.htaccess is a configuration file for the server that allows the server to perform various settings.
deny from all
If Files *.php has a php extension, then deny from all is a server setting that means deny all access.
Folders below the folder where this file is located will not be able to execute PHP programs.
If you connect this file to your server via FTP software and place it in the following folder, the folder where WordPress stores images and other files will not be able to execute PHP programs by access.
WordPress installation folder /wp-content/uploads
What if WordPress is infected with malware?
In this case, you will need to take security measures such as scanning and removing the malware, and closing the vulnerability that may have caused the malware to be embedded.
You can use a malware search/removal plugin.
Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
Also, basic security measures will almost eliminate the possibility of being hacked.
Five free WordPress security measures