Uploads folder is the most attack target in WordPress Website. How to prevent PHP Execution in Uploads folder?
Prevent php Execution in Uploads Directory with .htaccess
Create .htacces file in uploads folder and write this command inside:
<Files *.php> deny from all </Files>
You can create simple php file in uploads folder like phpinfo or other:
<?php echo "hanya test"; ?>
Now, try to load your php file trough browser. You must see 403 Forbidden Error