Anyway for the proper working of wordpress site, we can't change the permission of the writable folder. what we can do is to reduce the scope of the attacks by removing execute permissions on them. One of the simplest ways to disable PHP execution in certain folders is by adding the following lines to the htaccess file –
Create a blank file in a text editor. Call it .htaccess and paste the following code in there:
<FilesMatch “\.(php|php\.)$”>
Order Allow,Deny
Deny from all
</FilesMatch>
For maximum security, upload the above created file in the following folders in your WordPress installation:
- /wp-content/uploads/
- /wp-includes/
- cache folders within themes and plugins
Even if an attacker gets his PHP code into these directories, he will definitely not be able to execute it.
Note: This is not a FIX for a hack. This is just a security hardening tip.