Why would it have accepted a .php file then?
Well, unfiltered_upload is the option to instruct the system to not filter file types, isn’t it? What I was asking is when the file types filter was introduced, not the unfiltered_upload option. Please correct me if I am misunderstanding.
I think that it was version 2.0.x, but I am not positive. It might have been 2.1.x.
I have used WP as a light CMS for several sites. If you aren’t for more than just the ability to edit static pages then it works great.
Ah, so according to this article, WP does check file types (at least extensions). In what version was this introduced (I am using 2.3.1 now but wasn’t when the exploit occured)?
Yes, I understand that my site won’t be bullet proof even if you only allowed images to be uploaded, but it’s a good security step nonetheless.
