Personally I'm not well versed in PHP, but there are some hints:
- The implementation: PHP doesn't have the greatest track record when it comes to security.
- The language: it's a permissive language and as such leaves a huge room for "bad code".
- The ecosystem: it can get very bad too, with buggy libraries being legion.
PHP itself isn't fundamentally insecure. There are sane libraries and sane frameworks/subsets of PHP that you can use, and as long as you keep the engine up-to-date, there shouldn't be major issues. But the thing is, PHP is popular, so there is a lot of mess that happened and will happen.
Security modules such as Snuffleupagus can be used to kill entire bug classes. Maybe you can read about them so that can give you an idea of common PHP code weaknesses.
Flarum, in this case, doesn't look too bad and is modern PHP software.
And now I'm going crazy: if you would develop some general sort of web page/application from ground up, what software/frameworks would you consider? What would you try to avoid?
I would just learn Go as it seems particularly suited for web apps and has a nicer ecosystem.
So is nginx more secure then apache?
nginx and Apache suffer both from having a memory-unsafe codebase (written in C). From the looks of it, nginx seems to have a better security track record which may indicate a saner codebase. It also has more security features and is well-regarded in general.
The only memory-safe alternative I'm aware of is caddy but it lacks features and is way less efficient at the moment.