Disable malicious php execution from arbitrary file uploads

.htaccess

# Disable PHP execution for all handlers and ensure compatibility with any system
<IfModule mod_php4.c>
    php_flag engine off
</IfModule>
<IfModule mod_php5.c>
    php_flag engine off
</IfModule>
<IfModule mod_php7.c>
    php_flag engine off
</IfModule>
<IfModule mod_php.c>
    php_flag engine off
</IfModule>
<IfModule mod_proxy_fcgi.c>
    <FilesMatch '(?i)\.(php|phps|pht|phpt|phtm|phtml|phar|php3|php4|php5|php7|shtml|suspected)$'>
        SetHandler none
    </FilesMatch>
</IfModule>

# Remove PHP handler for systems where applicable
<IfModule mod_mime.c>
    RemoveHandler .php .phps .pht .phpt .phtm .phtml .phar .php3 .php4 .php5 .php7 .shtml .suspected
    RemoveType .php .phps .pht .phpt .phtm .phtml .phar .php3 .php4 .php5 .php7 .shtml .suspected
</IfModule>

# Deny access to all files by default
<IfModule mod_authz_core.c>
    Require all denied
    <FilesMatch '(?i)\.(jpg|jpeg|png|gif|webp|tiff|svg|psd|pdf|doc|docx|odt|ppt|pptx|txt|csv|tsv|sql|db|xls|xlsx|zip|tar|rar|gz)$'>
        Require all granted
    </FilesMatch>
</IfModule>

# For Apache 2.2 and older, use the old authorization method
<IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
    <FilesMatch '(?i)\.(jpg|jpeg|png|gif|webp|tiff|svg|psd|pdf|doc|docx|odt|ppt|pptx|txt|csv|tsv|sql|db|xls|xlsx|zip|tar|rar|gz)$'>
        Allow from all
    </FilesMatch>
</IfModule>