Protect all your folders with read, write and execute permission if you can! You should protect your _files directory best way would be if your server can handle directory with permission lower than 0777. This is just an extra security, if you server is configured correctly a folder with CHMOD 0777 is not a problem but sometimes being paranoid about security is not a bad thing.
Create a .htaccess file with following content:
<FilesMatch ".(htaccess|htpasswd|ini|php|fla|cgi|log|sh|pl|txt)$"> Order Allow,Deny Deny from all
Of course you can extend this as you like, but this will prevent most of the bad files getting executed through a web browser.
Upload it with your preferred FTP Client into your _files (or similar) directory and make sure this file has only following permission (CHMOD 0644), done!