Bad applications full of security flaws can be written in basically every language.
The thing with PHP is there's still extremely old apps that just haven't been updated to modern standards, because PHP itself is much older and thus predates more modern JavaScript/Ruby/Python apps. Wordpress in particular hasn't changed all that much, and insists on using a wildly outdated database layer on the name of remaining compatible with old plugins, because those plugins is what people turn to Wordpress for.
As with any app you don't completely trust, the solution is to restrict what they can do as much as possible. Run with minimum privileges, sandbox it in a container, whatever is needed.