The recent post about what people are using for webmail got me thinking about a perhaps irrational policy I have with my own self-hosted software: I don’t install anything written in PHP, because I have this vague notion that PHP software is often insecure. I think I probably got this idea because years ago I saw all the vulnerabilities in PHP webmail clients and PHP software like Wordpress and decided that it was the language’s fault—or at least a contributing factor.
Maybe this isn’t fair. Maybe PHP is just more accessible to new devs and so they’re more likely to gravitate to it and make security mistakes. Maybe my perception isn’t even accurate, and webmail / blog software written in other languages is just as bad—but PHP gets all the the negative attention because it’s so prevalent for web apps. Maybe my policy was a good idea, years ago, but now it’s just out of date.
To be clear, I’m not trying to stoke the flames of a language holy war here or anything. I’m honestly asking: Is it maybe time to revisit my anti-PHP policy? I’m looking longingly at some federated software like Pixelfed and wondering if maybe I’m just being a little too close-minded.
So I’m interested in your own experiences and polices here. Where do you draw the security line for what you will or won’t host, and what made you make that choice?
I have a background (in the distant past) as a PHP dev, and currently make my income doing mostly Wordpress work.
For a very long time I took a jaundiced eye towards big PHP apps for the exact same reasons. That being said, I just two days ago finally installed Nextcloud in my homelab and exposed it to the world.
It’s worth noting that a lot of PHP’s bad rep comes from Wordpress, which is terrible in security terms in large part due to a huge and very poorly vetted ecosystem of plugins written by coders of all skill levels.
PHP itself had a number of anti-features which made security difficult in the past. A lot of those issues have been worked on. As somebody who was up to my eyeballs in PHP for years during the bad old days, I’m now confident installing big PHP apps if I think the dev team and dev process are reasonably mature.
Good to hear that many of PHP’s “bad old days” issues have been fixed. That lines up with what other commenters here have said. I actually wrote some PHP way back then but not since, and I think that may have unfairly colored my current-day views on the language.