@glyph @jalefkowit From what we hear, it's also often Wordpress plugins getting hacked - I don't know how often it's the core of Wordpress itself. (We've never used Wordpress and don't know much about it.) Plugins that for all we know, might be written by those newbie programmers that PHP lets actually program instead of just staring at an impenetrable wall, getting daunted, and walking away.

Should the stuff be secure? Absolutely! But the way to fix that is good tutorials and stuff that teach people how to write good code, as well as potentially giving PHP better defaults if those are bad, not "throw PHP in a ditch, use Python or whatever, it's Inherently Better". (I personally don't jive with Python because of its whole "personal style is bad, you MUST use the ONE TRUE WAY for everything" culture. It's not anywhere near as bad as Rust in that respect, though.)