The main thing I do to avoid this is to host files on a separate server w/o PHP or a block storage service like e.g. S3 or B2. Make sure the domains are different too so you can't steal cookies.
You can also run a ClamAV scan to catch very obvious threats.