Hello. I want to make a real-time browser game(mmorts), similar to Forge of Empires and Elvenar.  I'm pretty familiar with PHP, Js(jQuery), AJAX/Rest API's, MySQL and HTML/CSS.

I've red some similar topics  here and here ,but I want to code it from scratch, without framework.

Since my goal is to have many players worldwide, I have couple of questions: 

1) In terms of Security(securing the game code/game data and users authentication), which languages/methods are best to pick, I've red some opinions that I should stay away from php and flash(nowdays flash is pretty common, everyone have the plugin)?

2) For the backend what are the pros and cons of NodeJs vs PHP handling multiple requests like a global chat?

3) How are these games actually made(Forge of Empires, Elvenar, League of Angels)?

4) In terms of graphics performance(low CPU/GPU cost) which methods are the lightest to use? I see that Flash is a quite heavy for low/mid-end pc's.

I don't think making games to run in Web browsers is the way to go, but if you're going to do so, use JavaScript. No, not everyone has Flash. I don't have Flash.

I would suggest just making a regular client/server type multiplayer game where the player gets the client and uses that to connect to the server. Maybe exporting the game in a JavaScript version if you're able to, and that can be the browser-based version. I know Godot Engine supports such an export option, for example.

Flash is dying, and won't work on many browsers. Don't use that. In terms of graphics in the browser the only real option is HTML5/WebGL, and you can choose any number of different libraries for that.

PHP is probably your worst choice for a real-time game as it's designed to serve one HTTP request at a time, and it's a bad programming language as well. But you can make it work, if you're willing to make regular requests, and/or you use various hacks to send real-time data to a client. NodeJS is a much closer fit, although it's still geared towards an event driven system where it responds to requests rather than sending data itself. If you're writing a full real-time server you can use most regular programming languages.

If you want to start fairly barebones, and want to stick with technology you know, then I might suggest Node.js, Nodejs-websocket, and standard websockets on the client. I'd also suggest picking something to help you with the HTML5 game loop and rendering, such as Phaser.io or Three.js to speed development up.

1. The Flash browser plugin is usually updated to fix bugs that can be exploited by merely accessing hostile objects; it's an outstanding security risk, far worse than more properly sandboxed Javascript. PHP, on the other hand, helps putting your servers at risk: assuming hackers will attack you with malicious HTTP requests in any case, the bad design choices and the plentiful bugs in PHP and many accompanying libraries make their attempts more likely to find something useful.
2. Avoid PHP.
3. Not a real question.
4. Iavascript with WebGL is more likely than Flash to be efficiently rendered and to make good use of hardware acceleration, but look out for bad surprises (particularly with libraries that offer Flash-like entities and scene graphs).