@requinix I copied the contents of your .htaccess file into NANO, and saved it as .htaccess. File contents below:
<FilesMatch "\.(?!gif|jpe?g|png)$">
Order allow,deny
Deny from all
</FilesMatch>
To test and see if the .htaccess file would keep PHP files from running, I wrote the following PHP script and uploaded it into the uploads directory:
<?php
echo 'Script works!';
?>
Unfortunately, my PHP script is still running in the browser, even though we've CHmodded and added the .htaccess. Have I missed something?
@Christian F. I'm looking at implementing something like that, though it may be difficult. The site is massive, and disorganized. It'll be a bit of a challenge, so I wanted to at least disable PHP in that exploited directory as a first step, then work through cleaning the code up.