Secure wp-content/uploads in Linux Apache and Windows Server IIS
It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably and in my opinion without the use of a security plugin . Denying access to PHP files in WordPress wp-content/uploads folder is easily achieved with a
.htaccess file on Linux Apache, or
web.config on Windows Server IIS, and here is how.