It's strange to close an exploit instead of a vulnerability.

No way. These are language constructs.
The most you can do is disable some functions:
disable_functions = file_get_contents

1) Do not save FTP passwords in FTP clients and do not get infected by a virus that steals them
2) If you install phpMyAdmin, plugins for Wordpress, and other open source software of unknown quality on the server, block access to it via HTTP authorization (via password). Automatic scanners that bypass the network looking for vulnerabilities will fail.
3) If you are making a site where users can upload files, upload their files to a folder where PHP scripts are disabled.
4) If you download free CMS themes, plugins, Wordpress themes not from the official and moderated site, check if they contain code inserts. You know where the free cheese is!
Following these 4 simple rules protects against almost all vulnerabilities and you will not have this situation again.