how one can prevent adding malicious scripts to its website.
I mean to my website was injected .php file shell which can create files and such actions. It can even make denial of service, spam and such

so i want to ask how to prevent these scripts be executed or injected?

So far may help creating .htaccess in certain vulnerable folders like /upload /cache and adding:
# disallow php execution
<files *.php>
Deny from all
If .php execution should be disable everywhere except document root and one subdomain directory, one can try putting this into .htaccess (changing path first in code):

RewriteEngine on

RewriteCond %{REQUEST_URI} !^/subdomains/subdomain
RewriteRule (.*)/(.*).php - [F]
Update: another thing is to remove writing permission on all website directories