Thank you for your answer.
httpd.conf directive set as you stated.
So maybe allowed by some virtual host as there are running couple of wordpress instances.
In regards to bad files - as I stated, this was discovered by MS Defender and those files automatically removed.
Defender report example:
Status: Removed
Threat found: Backdoor:Win32/Dirtelti!ml
Severity: High
Category: Backdoor
Related files:
...\wamp\tmp\php9EA3.tmp
Similar for other files as well - Trojans, Backdoors, Malware etc...
Trojan
HP/Obfuse!MSR
Trojan
cript/Wacatac.B!ml
all of them via uploaded phpxxx.tmp files into wamp tmp folder.
In my opinion, somebody is abusing some security hole somewhere in wamp or wordpress to upload infected file to wamp tmp folder, fortunately Defender realtime control does not allow any more actions I hope.
My goal is to make sure such files cannot be uploaded to wamp tmp / or in other words nobody could anyhow force php/apache to upload such file. I am sorry if using bad terminology.
Thank you.