By default, all files that you have uploaded to WordPress will be stored in /wp-content/uploads/ folder.
And by default, folders that come with WordPress installation i.e., plugins, themes will have index.php file. So when someone try to access that folder will stumble on a blank page.
But for this uploads folder, there is no index.php file created for it. So you need to create an empty index.php for that folder to protect it. Great!
But our next problem is, the sub-folders are not protected. So someone can view and get all files under this sub-folders like the image shown above.
You need to create a .htaccess file in the uploads folder and put this line in that file.
That’s it! Only one single line will help you to protect all files under that uploads folder.
If someone tries to open your uploads folder and its sub-folder will get a 403 Forbidden error message.