Seriously, man: OpenBSD? Really?
As you can see, pointless flaming can be done about anything. If you want to critcize PHP, come up with some proper and valid arguments. Otherwise, you're nothing more than a loudmouth fanboy. I have several PHP websites running for many years, without a single hack, without a any significant downtime (besides server maintaince) and with proper speed. PHP is just a tool, it's the developer that makes it a good or bad website.
I understand they replaced nginx with something different. But why a half-finished webserver that doesn't even support things like URL rewriting. For those who seek a secure webserver, but with features to properly support the modern website/framework/CMS, try the Hiawatha webserver.
The issue described in this topic (cross-site scripting) is very old (about 15 years in this case). But so is its solution. The same goes for all other security issues. There is no reason and therefor no excuse to have such or any other known vulnerability in your website today. Specially because the solutions are very easy. Security is no rocket science!
The majority of all hack attempts are for SQL injection, cross-site scripting, cross-site request forgery, remote file inclusion, directory traversal, etc. You can look them up, there are even many websites dedicated to them (owasp.org for example). There is, I say it again, no excuse to not know about these vulnerabilities and to have one of them in your website.
The only web developers who still have such security bugs in their software are 1) lazy 2) incompetent 3) not interested in security or 4) have been asleep for 15 years. For whatever the reason is, it's not wise to use their software!/p.
I don't think you arguments are valid. There is much more between a free Wordpress website and a custom coded CMS + all the extra's. You know this. And sure you can setup a website in 20 minutes for free. But if that's the price you want to pay, than that's the quality you get. And btw, I also can setup a website within 20 minutes for free, but with a CMS that even the most skilled hacker will have a hard time with to hack.
And before you come up with "but my Wordpress websites also have never been hacked", I meant: hack-free without any update or me having to worry about its security.
Sorry, I'm not going to tell. Because everytime I did, the discussion ended in a useless flamewar with people coming up with all sorts of nonsense arguments that had nothing to do with security, just to criticize my framework. The framework I use is not 100% perfect. And of course it also can't be, because things like user-friendliness and shininess are very personal / subjective. But its security is good and I have years of hack-free websites to proof that. And several of those receive many daily attacks, because of the ICT-security-related content of the website.
My only point is: try to give security a higher priority and do some research before using a framework. There are many CMS'es out there which my not be as shiny as Wordpress but are more than good enough and have a better security than Wordpress.
So, that left your website vulnerable for a few hours... again!
And being a prime target wouldn't be a problem if it had proper security...
And when the first plane crashes due to a bug in the pilot software, we all start wondering again if removing the pilot was a wise decision.
This whole Germanwings plane crash shows, again, one important thing: people suck at dealing with risks. Several hundred thousands of flights went well. The last incident with a pilot causing a plane to crash was back in 1995. The Germanwings plane crash was an incident. We must learn to treat it that way, as an incident. No reason to panic and start changing policies, rules and procedures. With every change, new risks and new ways of things to go wrong will be introduced. When that happens and you again make changes, you end up in a loop of changing things. The result: the changes will cost a lot of time, energy and money while the risks are not reduced.
We need to start accepting that risks are part of our life. Unacceptable risks need to be dealt with, but more important: acceptable risks should be accepted, even when they occur!!!!