Thanks for your post. I agree with everything you said about PHP including “the ease of the language means that it is often poorly written.” I think the ease of the language is also one reason that PHP is used so much across the web. It has a relatively low maintenance burden because unlike many other languages pretty much all shared web hosting providers have PHP pre-configured so all you have to do is upload PHP files alongside your HTML files and it will just work for the most part. This is a big difference in comparison to languages like node.js or Go where you have to start the program running and then figure out how to keep it running 24/7.
PHP has been the bedrock of web development for decades. It was actually the first server-side language I learned how to program, 15 years ago. It has historically been one of the most dependable server-side programming languages, but the question is does it still hold that place in today's fast changing, ever growing market of programming languages?
PHP has a lot of things going for it, historical reliance, a large base of programmers who know and program it, server support in essentially every shared hosting plan available, as well as being the foundational language in two of the most popular Content Management Systems available (Wordpress and Drupal). Ease of use for newcomers is also key to its success. Once PHP is integrated with the web server it rarely if ever has to be managed or restarted and individual PHP scripts are run automatically by the PHP server service.
There is a lot of competition in today's programming market. Many of them have better tooling, are more exciting to work in and have great features that help with reliability such as typed variables, native multi-threading and speed of processing. But are these improvements worth the cost of the reliability and dependability of PHP? For me, that depends on the use case. If the application isn't going to have anyone experienced with managing it routinely, PHP is the best route to go because of the ability to easily deploy it on shared hosting environments by just uploading the scripts, while other languages such as Node.js, Swift, Go and others require an executable to be run and to ensure it remains up in the event of a crash, there needs to be a secondary server that restarts the application. If you need modern tooling with robust features such as typed variables and multi-threading it can help to use a more modern language rather than trying to use new libraries that make PHP more modern.
Ultimately I think it comes down most of the time to personal preference. There are likely few cases where any specific server-side language is going to drastically change things unless the application is frequently under a large load or has a lot of intensive data processing tasks.
This is a great post, outlining a lot of important aspects around security and the people involved. I agree that there are essentially three roles and that those roles might be fulfilled by the same person or by two or three different people or even organizations.
Something I would add in regard to using trusted wifi connections is that there are a lot of services out now that provide VPNs (Virtual Private Networks) that provide a secure tunnel between your computer and that computer. VPNs are a great solution to using the internet from potentially insecure wifi locations like fast food, hotels and more.
Website visitor security is important and I believe the responsibility falls on a couple roles which may or may not be the same person, company or separate people or companies.
A large amount of the responsibility for website security lands on the website programmers both front-end and back-end. There are a number of various attack vectors that hackers and other malicious parties can attempt on a website and it is up to the programmers to understand common errors and to enable robust programming tactics in order to avoid valuable customer information to fall into the wrong hands.
Responsibility also falls on the web server manager. This could be the programmer or a separate person in the same company or even a separate company if web hosting is outsourced. The security of the website itself doesn’t matter if the server that is making the website available to the rest of the web is insecure. For this reason, it’s important for programmers that don’t understand the dynamics of web hosting management should outsource that task rather than trying to handle it themselves.