I really dislike both PHP and WordPress despite using the latter, and thus the former implicitly, for this blog. Why? Because both make it far to easy to be hacked. Which happened to me just a few days ago. Despite not installing any third-party WordPress plugins and having a robust firewall against malformed web requests and regularly updating my software. In this case someone exploited a WordPress 4.7.0/4.7.1 vulnerability recently introduced into its REST API. They managed to replace my most recent post prior to this one. Google “attack /index.php/wp-json/wp/v2/posts” to learn more about this vulnerability.
Fortunately I backup my WordPress database and was thus able to restore it to a known good state. And this particular vulnerability did not allow the attacker to change any files; only content in the WP database. I was fortunate because I make regular backups of critical files and have my web site managed by git source code management. The former made it relatively easy to recover from the hack and the latter made it easy to determine my static content had not been compromised.