I've done PHP development for over 20 years, including some pretty large projects. I've never had a situation where a security flaw in PHP itself forced me to scramble to patch something before it got hacked.

On the other hand, for my Linux servers, I had to do that twice in the last month with CopyFail and DirtyFrag.

Every time I venture in the the web server's error log, I see all of the skiddie's attempts at accessing the most common things with most of them being .php files. Lots of /wp/admin.php and /phpadmin/ type requests. Of course, none of those are available which is why the requests are in the error log. I've never paid attention, but I wonder how long (as in how little time) for a new server to come online before it starts to get probed by a skiddie. Whether they are just war dialing IPs or paying attention to new domain announcements but I'd put it on a few hours tops.

> They cannot be that bad if they are managing to be ductape of the internet.

I think there are just a whole lot of tools written for them. So non devs can spin things up and click some things together.

Is that safe and secure? Maybe, if the devs did their work well. But I'm positive no one reads the docs on how to configure something securely.

I think the real reason is that it's very cheap to host, and always has been

cPanel is Perl.

> They cannot be that bad if they are managing to be ductape of the internet.

Oh, it very much can be that bad. Most "security" relies on the Hungry Tiger Theory of Security(tm).

My system doesn't need to be "secure". My system simply needs to be more secure than yours. As long as there is an easier and/or more valuable target somewhere, I'm "secure". I don't need to outrun the hungry tiger; I only need to outrun you outrunning the hungry tiger.

That theory, of course, doesn't hold anymore when there are enough tigers to simply eat everybody. And that's what AI did; it multiplied the tigers enough that they can just gorge on everything.

Now, people are going to have to put in "actual security" or lose real money over and over and over. And since everybody has outsourced everything, nobody knows how to fix it quickly. The lawyers are going to have a field day.

At the end, however, we'll have real security on our internet facing systems. But man, it's going to be painful for a while.

How does that follow?