In most cases the hacker uploading the backdoor files to the uploads folder.
Disabling PHP execution in this folder will prevent malicious PHP file being uploaded and consequently executed on the server.
Follow these steps to disable php execution in specific folders.
Create an .htaccess file with the following content.
<Files *.php> deny from all </Files>
Upload this file to the uploads folder.
This code checks for any PHP file and denies access to it.