/upgrade directory vulnerability

Just not having an index.php there won’t cause you to get hacked, nor will putting one there solve that.

In your Apache web server configuration you want to add AllowOverride All and -Indexes.

<Directory />
   Options -Indexes
   AllowOverride All
</Directory>

That Options line will turn off the ability to view directory contents like that. The AllowOverride permits things like fancy permalinks work.

Make sure you make a backup copy of any file you edit first. If you make a typo here, then your web site will stop working and that backup copy will save you lots of grief.

As for the hacked site:

Start working your way through these resources:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/

https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

https://www.studiopress.com/tips/wordpress-site-security.htm

Once WordPress completes the upgrade the contents is removed. So it should be an empty directory.

So the next time you install an update your index file will also be removed leaving an empty directory again.

If you’re being hacked I would put money on it being absolutely nothing to do with the upgrade folder but more than likely an outdated or poorly coded plugin.