Secure wp-content/uploads in Linux Apache and Windows Server IIS
It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a
.htaccess file on Linux Apache, or
web.config accesssPolicy in Windows Server IIS, and here is how.