Many times malware php scripts are uploaded to sites when 777 (or just enough)  permision folders are present. Sometimes you just can’t set permissions to a secure level (because of crap applications) so you have to secure these folders another way.

One solution is to use .htaccess files for example to stop direct php access/execution in that folder/subfolders :

#touch .htaccess

content of .htaccess:

<Files *.php>
Order Deny,Allow
Deny from all