WordPress offers so many ways to protect your website, a simple way of protecting yourself from ‘backdoor’ access is to deny access to certain WordPress files. Backdoor access files disguise themselves in folders such as /wp-includes/ and /wp-content/uploads/. Usually these are .php files and often stand out to the rest but disguise themselves with names that some what seems like WordPress core files and more.
This is a great way to deny access to the .htaccess file and disable PHP execution in a specific directory.
Firstly, create a blank file in text editor and copy in this code:
<Files *.php> deny from all </Files>
Then save the file as .htaccess
Now simply upload that file into your /wp-content/uploads/ folder and your /wp-includes/ folder. This file will now check for any PHP files and deny access to it. This does not completely take the chances of being hacked away but does harden your security of your website.
In case you are hacked, be sure to backup your website so you do not lose everything.