The same solution done for Joomla some times ago can be applied to WordPress as well. WordPress plugins (almost) never require direct access to PHP files, so you can prevent their access. Usually crackers put malicious PHP files into wp-content or wp-includes directory: you shouldn’t run them.
A friend of mine has a WordPress website who has been targeted for SEO spam. So I’ve done some searches and cooked up an htaccess addition for him. After the RewriteBase statement add the following:
# Deny access to php files, except the ones we do want. From https://premium.wpmudev.org/blog/htaccess/ # If you want to exclude some files from the lockout just uncomment and tune one of the following two lines #RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php #RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/ RewriteRule ^wp-content/plugins/(.*\.php)$ - [R=404,L] RewriteRule ^wp-content/uploads/(.*\.php)$ - [R=404,L] RewriteRule ^wp-content/themes/(.*\.php)$ - [R=404,L] RewriteRule ^wp-content/languages/(.*\.php)$ - [R=404,L] RewriteRule ^wp-content/(.*\.log)$ - [R=404,L] # Block some specific exploits. From http://www.wpexplorer.com/htaccess-wordpress-security/ RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L]