I like the acronym RAT (remote access trojan), because it resembles another type of thing you need to get rid of from your kitchen, and because when you get rid of one and find the hole it made and fix the hole and set traps and invest your time getting into the mind of the rat, you still can't truly rid yourself of all until you rebuild your house out of concrete.
In .htaccess, a proposed temporary measure to deal with a compromised server might be;
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REMOTE_ADDR} !123.456.789.000
RewriteRule .* /nopost.html [R=301,L]
Some rats poo on your kitchen, some rats help other rats, and some steal your food.
Given access.log shows a whole load of POST requests taking place on these injected base64 encoded files, is it correct to assume that preventing POST requests as above will resolve the problem of those pests breeding further, not to mention they will not be allowed to POST poo on the kitchen floor in the meantime?
Or will it just stop the rats' deposits?
This might stop some specific backdoors that only accept POST requests. But it will not stop backdoors in general.
A backdoor might accept parameters via GET request, e.g. bad.php?command=somecommand. Or it might execute commands sent via a custom HTTP Header.