The upload module needs to exist on the website, and permission authentication needs to be done to prevent anonymous users from accessing it.
The file upload directory is set to prohibit script file execution. Even if the dynamic script of the uploaded backdoor cannot be parsed, causing the attacker to abandon this attack path.
Set up a whitelist for uploading, which only allows images to be uploaded, such as jpg png gif. Other files are not allowed to be uploaded.
The uploaded suffix name must be set to an image format such as jpg png gif.