Some people say that only programmer skills matter, and that languages like PHP are not intrinsically bad. Or that past-PHP was bad, and the modern PHP is a a fine language. But the language defaults still matter, as this case shows: Look at the official Flarum install instructions [0]<p>> The user that Flarum is running as MUST have read + write access to: The root install directory, so Flarum can edit config.php. The storage subdirectory, so Flarum can edit logs and store cached data.<p>Bam! Instant persistence for malware.. Any remote execution bug is instantly and trivially elevated to permanent remote shell, which also survives code updates and server restarts. Many common security practices are defeated by PHP's common habits:<p>- Can you run the thing in docker read-only mode? nope, need to edit config.php, and upload files into "storage", right next to the main code.<p>- Can you at least check for unexpected changes? Nope, see that config.php again.<p>- Maybe at least sandbox the webapp, so it does not have access to the random backups? Nope, while it's possible in PHP this is super uncommon, and impossible in common case (apache's mod_php).<p>In most other languages/ecosystems, saying "let's give our webapp user access to modify program files" will be rejected as horribly insecure. Attacker could still exfiltrate data via code injection, or achieve persistence but they'll have to work hard for this. Not so in the "modern" PHP apps.<p>Stay away from PHP, folks, if you value security at all.<p>[0] <a href="https://docs.flarum.org/install#folder-ownership" rel="nofollow noreferrer">https://docs.flarum.org/install#folder-ownership</a>