Securing WordPress site
Prevent .php files from being executed from
wp-includes and wp-content/uploads directories
Sometime malicious php files can end up in those two directories and then a spamming script can execute them to run the other scripts that will send out spam through your site. Protect these directories by adding .htaccess files to both with the following content.
deny from all