i want to ask why in my 2010 dated wordpress i found several .php malicious scripts (scripts used to redirect randomly to some advertising websites, script which allows uploading files to anyone.)


so it might be some old wordpress bug? If i want to fix, i can add .htaccess file to the upload folder and set to disallow executing .php files, it may help reduce risk right?

Here is how to add that htaccess: http://internetlifeforum.com/php-mysql-forum/2066-how-prevent-execution-injection-malicious-scripts-website/

Another thing is to remove write permission for upload directory or wp-content directory and all its sub-folders (meaning it will not be 755, but 555) the result of this would be wordpress plugin updates stop working, disallowed uploads of new images by wordpress and no new malicious scripts added.