I have a background (in the distant past) as a PHP dev, and currently make my income doing mostly Wordpress work.
For a very long time I took a jaundiced eye towards big PHP apps for the exact same reasons. That being said, I just two days ago finally installed Nextcloud in my homelab and exposed it to the world.
It's worth noting that a lot of PHP's bad rep comes from Wordpress, which is terrible in security terms in large part due to a huge and very poorly vetted ecosystem of plugins written by coders of all skill levels.
PHP itself had a number of anti-features which made security difficult in the past. A lot of those issues have been worked on. As somebody who was up to my eyeballs in PHP for years during the bad old days, I'm now confident installing big PHP apps if I think the dev team and dev process are reasonably mature.
If you want to avoid SMR performance penalties, the 1TB HGST Travelstar 7K1000 HTE721010A9E630 is one of the biggest CMR 2.5" drives I've found, and it's 7200rpm and rated for 24/7 operation to boot.