Multiple web pages ending in .php usually signify a poor codebase with a developer with poor web development knowledge. A clusterfuck of html mixed in with php is a recipe for a unmaintainable hodgepodge and may imply other not-so-great web development practices taking place.

I would be wary of the security practices taken here, including general "common sense" practices (not live editing db/files/presence of backups)

It seems like a weekend project with no intent to expand beyond a couple of users.