PHP

What steps are required to protect files when UPLOAD?

A mailing system is created for the application.
In this case, the client, each user himself forms the type of mailing for his subscribers.
- It should be able to upload both images and attachments (only limited to PDF and ZIP/RAR).
- Pictures must be available from the mailing server (they should not be attacked in the body of the letter, since there will still be a web version of the mailing list).
- How to organize: a place for these files, protection of the space where files are uploaded from malware and the issuance of the files themselves by the server.
I would like to make a reservation right away that proposals to issue files through a script are not considered, since one client can have hundreds of thousands of mailing list recipients, and even a small part of them if they immediately open the mailing list, and each picture will be given through the script - this is unrealistic for a simple server (IMHO).
UPD1 does it make sense to save pictures on a separate virtual machine, and if so, how to do it???