Protect _files Directory

Protect all your folders with read, write and execute permission if you can! You should protect your _files directory best way would be if your server can handle directory with permission lower than 0777. This is just an extra security, if you server is configured correctly a folder with CHMOD 0777 is not a problem but sometimes being paranoid about security is not a bad thing.

Create a .htaccess file with following content:

<FilesMatch ".(htaccess|htpasswd|ini|php|fla|cgi|log|sh|pl|txt)$">
 Order Allow,Deny
 Deny from all

Of course you can extend this as you like, but this will prevent most of the bad files getting executed through a web browser.

Upload it with your preferred FTP Client into your _files (or similar) directory and make sure this file has only following permission (CHMOD 0644), done!