Most wordpress exploits rely on the attacker getting into your site being able to run some kind of code – this is often DISASTROUS for your site – at the very least you can become a site infecting your visitors – at worst, they’ll take over your site, load hundreds or thousands of files to your server and become a “bot” – or robot – with the purpose of sending spam, or attacking other websites.
In the site’s uploads folder, there doesn’t appear to be a valid reason to run php code – so turn off that function using .htaccess!
Upload a .htaccess file to the wp-content/uploads/ folder as follows:
RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3
php_flag engine off