Defender, NGINX, and access to Root for things

Hello - I use Cloudways - which is a layer on top of a Vultr Cloud Server. My website is hosted on an NGINX server (all of my sites are hosted there)

So, of course I do the Defender scan - the message I get is I need to make changes for "Prevent PHP Execution" and "Prevent Information Disclosure"

I have asked Cloudways to help me with the Root - they will not -

So I created an .htaccess file with:
<Files *.php>
deny from all
and placed it in the wp-includes/ and /wp-content/uploads/ folders.
yet I still get a message from defender -

so - can you help me on this once and for all - so I can do this across all 50 sites?