WebControl allows plain text password, also support standard Based64 encrypted password. What method your PHP program using to send password is your choice.
If the security is a concern, please also use allowed host for which IP address can access WebControl. It will drop connection for any access attempt from IP address not in the list.