I have a WordPress website under Windows Server 2012 IIS 8.5, the last PHP, and the last MySQL.

My WordPress installation (4.7) is compromised, I need to reinstall it, update plugins, change themes, etc., but I have to wait for a response.

Every day I see some strange *.php files in the uploads folder. How can I deny PHP upload in this folder? I have access to the Web Server, and I can change whatever I want.

Maybe I can solve it with an .htaccess file or what?

I know that WordPress must have write access to many folders, like uploads, indeed if I deny IUSR write to uploads folders. Those files do not appear, but I can't upload anything. I just need to deny *.php upload.

To restrict PHP files execution in your upload folder when using IIS on windows server, you just need to upload a web.config file in your "upload" folder with below mentioned content:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <handlers>
            <clear />
            <add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
        </handlers>
    </system.webServer>
</configuration>

For more detailed explanation, just check here: http://www.wptricks24.com/disable-php-files-upload-folder-wordpress-iis

This is a very nice article for same situation you are facing.