Another apache disaster, blueimp's plugin has nothing to do with it: it's common for script kiddies to try to upload php executables on php sites, and sometimes it works.
I do think that my project is responsible and not Apache, since I provided sample code that was not secure by default when used in a default Apache configuration as is.
However I wish Apache would have changed their default config in a way that would have signalled an error if an .htaccess file is present but not applied.
However I wish Apache would have changed their default config in a way that would have signalled an error if an .htaccess file is present but not applied.
Something that HA user fulafel also pointed out here: https://news.ycombinator.com/item?id=18272407