Websites Hacked through php Files

We had a disaster Sunday, January 10th. I found that neither of our websites was working, but thanks to the diligence of our server IT person whom we have known for 15 years, the sites are back up and running after he spent hours and hours wrestling with them. That said, I have a ton of stuff to redo. UGH. But I am forever grateful to him.

It turns out that it is highly likely that the nasty, hacking machines that scan the Internet found a vulnerability through some php file, either on our blog on in one of the websites.

After hours and hours of due diligence, he suggested that I add this following ATT57568.htaccess file to all my folders except for ones that have executable php files in them. The code for this file is…

<Files *.php>
deny from all
and a new line surrounded by angle brackets.
/Files

My question is if I have a parent folder with no php files in it, should I add this file, even though there are subfolders that do have php files in them?

I am trying to do everything within my power to keep this from happening again.

All thoughts are welcome. I would hate to have this happen to someone else, and all information shared might help in this regard.

Thanks, and now to a well-deserved glass of spirits poured over one of those round ice “cubes” and a movie or program.

Take care,

TBC
https://www.BCphotoadventures.com/
https://www.BC-FineArtPhotography.com/