WordPress (and PHP) are not bad things. They are things that have been designed for very specific purposes, and they actually excel at those things. Both are extremely easy to get up and running. They can run practically anywhere etc.

There are entire languages written with the design goal being security. It's not a matter of whether or not something is a capable tool (ie: runs 23% of the internet), it's whether or not it's the right tool for the job. PHP clearly isn't.

I don't think an application written in PHP makes it inherently insecure. Maybe if you're talking about some 2004-style PHP with magicquotes and register globals enabled, but not in 2014 with a modern stack/framework. You could write a shitty ruby app just as easily as you can write a shitty php app.

Writing your code in PHP, no matter how good of a programmer you are, makes it more likely that your natural level of mistakes will insert security issues into the code, especially when compared to a language with even basic features like static typing. I'm not saying this as some idiot who thinks PHP is bullshit and for noobs, I've worked on pretty large sites using PHP and I have a pretty deep understanding of it.

Everyone likes to say security is mission critical, but for the vast majority of people it really isn't. And for those people the development speed advantage, massive developer market, libraries etc. you get working in Ruby or PHP are well worth it.

Everything is tradeoffs, and it seems to me that in writing voting software deployability, development speed etc., are not nearly as mission critical as security.

> Writing your code in PHP, no matter how good of a programmer you are, makes it more likely that your natural level of mistakes will insert security issues into the code

While I'm inclined to agree, this is a self-defeating premise. If you're "so good" of a programmer that you do not make security affecting mistakes (i.e. one of only a handful of PHP programmers I've met), then the probability of inserting "security issues" into your code is still zero, regardless of language.

> I'm not saying this as some idiot who thinks PHP is bullshit and for noobs, I've worked on pretty large sites using PHP and I have a pretty deep understanding of it.

Good. :)

I don't understand your reply. No one is good enough to write code without bugs.

> No one is good enough to write code without bugs.

This is congruent to saying, "Whitelists don't exist. Everyone implements poorly scoped black-lists."

I literally have no idea what you mean by this. Are you trying to imply there are people who write bug free code? If so please point me in their direction.

People make mistakes. Systems should be designed for this expectation. If mistakes are extremely costly it implies you should use certain tools and development methodologies, if not you can use others.

Code that is bug-free and code that is free of security-affecting bugs are not the same thing.

For an example of an application that is currently free of application-layer security bugs, see my blog. It's not a CMS, I wrote it myself. Go ahead and try to hack it. :P

I feel like you're arguing against a strawman that I don't think secure applications can be written in PHP. I don't think that.

Edit: put another way: if you are starting from scratch and your main focus is security, why would you use PHP?

Familiarity. I know its quirks inside out and therefore know which mistakes not to do. If you point me to Python and say "build a secure web app," I'm going to need to spend a lot of time researching.

WordPress is also far from the most secure or correct system in the world.

It's getting better. I, for one, am going to begin contributing to the core code :)

A voting counter shouldn't be compiled using hopes and dreams, but using proven coding methodologies. What you are suggesting, and what I see when I read it: http://www.usmra.com/repository/category/electrical/techsupp... (Indian electrical grid)