Many times malware php scripts are uploaded to sites when 777 (or just enough) permision folders are present. Sometimes you just can’t set permissions to a secure level (because of crap applications) so you have to secure these folders another way.
One solution is to use .htaccess files for example to stop direct php access/execution in that folder/subfolders :
#touch .htaccess
content of .htaccess:
<Files *.php>
Order Deny,Allow
Deny from all
</Files>