Unfortunately, protection against such attacks can add inconvenience to the development and testing of scripts / sites, but you can get used to it. I do this:
1) set the "open_basedir" variable on each site to the user's directory or folder with the site. For each site, I set the values ​​\u200b\u200bthrough the php-fpm pool config.
If php works as an apache module, then this is done in the virtual host config with the following lines:

php_admin_value open_basedir "/var/www:/tmp"
php_admin_value disable_functions "popen, pclose, exec, passthru, shell_exec, system, proc_open, proc_close, mail, symlink"

The global value in php.ini right now is: open_basedir = "/var/www:/tmp" just in case.
2) I set the global value of the "disable_functions" variable in php.ini, right now I have this:

disable_functions = "get_defined_constants,apache_get_modules,virtual,getmyinode,apache_get_version,apache_getenv,ini_restore,-openlog,-syslog,highlight_file,show_source,symlink,-ini_get_all,-phpinfo,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,shell_exec,system,passthru,proc_open,popen,proc_close,proc_get_status,proc_nice,proc_terminate,leak,listen,chown,chgrp,apache_note,apache_setenv,closelog,debugger_off,debugger_on,define_sys,getmyuid,getmypid,diskfreespace,dl,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid,posix,_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,posix_getsid,posix_getuid,posix_isatty,posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid,posix_setpgid,posix_setsid,posix_setuid,posix_times,posix_ttyname,posix_uname,expose_php,curl_exec,curl_multi_exec,-parse_ini_file,eval,link,putenv,-pack,gzinflate,gzuncompress"

If there is a hyphen in front of the function, for example "-ini_get_all", then I want to temporarily disable the blocking of this function, because the line "-ini_get_all" will be completely blocked, but there is no such one.
If something does not work while the site/script is running, then look at the error.log, there should be errors.
If for some site you need to change the disable_functions value, then I change it for a separate site. Either I strengthen the protection by blocking additional functions, or vice versa, I reduce it.
3) Because my php works like php-fpm, then for each site I create a separate user and the pool in php-fpm starts from it.
If php is running as an apache module, then this is done through the mpm-itk module.

<IfModule mpm_itk_module>
    AssignUserId user1 user1
</IfModule>

4) For apache, I install the ModSecurity module (mod_security2). This is a web firewall. It blocks suspicious http requests before they reach the script/cms. Works very well. Sometimes even too much that you have to turn off part of the rules or completely for some site.
But the implementation of these 4 points does not guarantee the complete security of the site. One client site was hacked even with such protections.

Have you tried uploading wp not as root? Suppose we created a user with limited rights in the same isp, installed wp from him, then this shell also allows access to all directories even for the release of the rights of this ftp user?