Well, the core issue is that PHP is broken and will execute files without the +x bit set. This is horribly insecure, and should never have been implemented, but apparently now we're stuck with it.

The best solution is to completely disable PHP. If you have to use it, enable it only for folders known to be safe from uploads and disable it everywhere else.

To add extra protection in Wakaba for it, though, rather than mess with file, it'd be far easier to just dump all files whose filename matches /\.php/. This issue shouldn't affect any CGI languages, since those won't run without +x.