There is no foolproof method to prevent any type of file from injecting itself into a website.
If you detect or suspect one or several files have been uploaded into your website, treat them as you would treat mysterious attachments emailed to your business or personal accounts.
In short, this is what we recommend: (you probably know most of this already)
(1) First and foremost, NEVER use NULLED plugins or themes. Trying to save $50.00 on a plugin or theme, could cost you $250.00+ later on to clean your site.
(2) As @chrishajer mentioned above, read this well-written Gravity Forms article on web security.
(3) Perform a backend malware scan of your website using iThemes Security, Wordfence, or Sucuri. We use iThemes Security Pro.
(4) Go to siteguarding.com then perform a website scan for Code Base64 malware. It’s pretty good at detecting it. Caution: It may report false positives.
(5) Download the files to your desktop and perform a malware scan using Norton Security Power Eraser and Malwarebytes (both free). Scan the files with BOTH scanners.
(6) Go to virustotal.com then upload the files for a malware scan.
(7) Contact your host and ask them to perform a malware scan of your website soon after you suspect unknown files have been uploaded into your website. SiteGround, for example, will perform a courtesy malware scan of your website (or files) upon request and tell you immediately if your website has been compromised.
(8) Last, but not the least, you can limit the file types allowed to be uploaded into your website. For example, you can limit uploads to pdf files only, which are usually safe (the file type is hard to mask). We use File Upload Types by WPForms. It’s pretty good. You can also limit the file types via your .htaccess file.
(9) If any of the above methods reveal you have a malicious file, you know what to do. If you know the person or entity that uploaded the file, I would notify them as well.
Above procedure may seem lengthy but, if you follow it, will certainly save you valuable time and money down the road.
Hope this helps a bit.