We explain some of the innovations that come with PHP 8.0 and what WordPress users should know before they start using it. The PHP 8.0 version, released on November 26, 2020, is the latest version of PHP powered by WordPress sites.
What WordPress Users Should Know About PHP 8
This new update in the language came with many new features that will benefit developers and changes that will increase security in the long run.
The most obvious of these changes is the removal of some functions. There are much bigger changes in PHP 8 version compared to previous versions.
In this article, let’s take a look at the sensitive points and recommendations stated in the article of Wordfence Security, which has been in the industry for years and is known for its plugins.
Should I Upgrade to PHP 8 Now?
No way.
You should not upgrade your current WordPress until stable support is available. According to the interview made by WordPress developers on November 18, it is planned to be compatible with PHP 8 in beta with version 5.6. Currently, there are some issues, even though the most recent version, WordPress 5.6 and PHP 8, have been released recently.
Even if the basic WordPress functions work in the beta version, there may be some problems such as unknown errors and theme corruption for a while. Taking this into account with WordPress, it started running additional tests using PHP 8 so that errors could be tested and fixed as quickly as possible.
If you are currently using one of the WordFence Security plugins, work is underway for compatibility with PHP 8. According to the developer’s statement on their blog, partial compatibility and support will be offered, but additional tests are required to ensure stable use and full compatibility.
Apart from all these, we would like to emphasize that many WordPress themes and plugins will not be compatible with PHP 8 version immediately. Even if nothing seems to be a problem with normal use, negative things may be happening in the background.
On the other hand, we expect the 5.7 version of WordPress to be fully compatible with PHP 8, which will probably be released in March 2020 and PHP 8.0.1 will have been released and the first bugs will be fixed.
What Major Changes Does PHP 8 Contain?
Some of the developers have long thought that PHP is much less secure than some other alternatives. This is still a controversial issue as it is difficult to understand how secure or unsafe any programming language / web programming language is in terms of security. However, looking at PHP versions prior to PHP 8, the new version is not as tolerant of some code errors as the old ones.
In case of minor bugs in older versions, the codes could continue to work depending on what the error was. Because of this, security is thought to be a little tighter.
The PHP 8 version is also starting to use a much stiffer script type compared to other PHP versions. More attention is now being paid to the loops that functions accept and run, and how the input received from the user is evaluated becomes more important.
Warnings appear rather than problems that previously manifested themselves in various notifications. Those that appear as warnings are now directly shown as errors. Thus, the code structure is made cleaner and better.
In summary, we can say that the PHP 8 version does not have a very flexible structure compared to other versions. Running the faulty code was not that difficult in previous versions.
In addition, some functions and various features that were removed by PHP 7.x version are being removed more precisely, this time with PHP 8:
- $ php_errormsg variable
- create_function () function
- mbstring.func_overload ini directive
- real tip
- The allow_url_include ini directive
- restore_include_path () function
- each () function
How Will WordPress Plugins and Themes Affect?
While we know that these variables, functions and directives are not used much anymore, according to research by Wordfence, there are some 5,000 popular WordPress plugins that use create_function and are used by millions of websites. In this case, you are likely to experience problems if you upgrade.
However, in some cases their use may be allowed for compatibility with older PHP versions. Regrettably, many plugins will cause problems if they are not configured extensively in the transition to PHP 8.
Very few plugins and themes also often make use of third-party libraries. WordPress developers can wait a while for these to be updated as well for compatibility.
If these libraries are not updated to be compatible with PHP 8, it may be necessary to use alternatives to these libraries or even write themes and extensions from scratch to be PHP 8 compatible.
Some suggestions and compatibility reports were prepared by the developers of the Yoast SEO plugin on what should be done by other developers during this transition. If you are a developer, we strongly recommend that you read it.
Security Concerns About PHP 8
Although many functions and features that cause problems in terms of security have been removed with PHP 8 as stated in the previous paragraphs, it is necessary to take into account various errors and flaws, as is the case with everything human handled. Such concerns are expressed after each new version is released.
PHP allows something called “Type Juggling”. Thanks to this feature, if it is used to treat strings containing numbers in the same way as integers or decimals and is used ===
instead of the operator for strict comparison ==
, it means that mathematical comparison can be made between these two different types.
While this can be intrinsically beneficial for many developers, it can sometimes lead to unusual behavior in the software.
The WordFence article thoroughly discussed why Type Juggling can cause problems. While returning as its 0==”blah”
value true
, which is a classic example, PHP 8 may cause errors when trying to streamline such behavior for correction purposes. Can 0==”0blah”
false
be returned as for example.
Basically this will increase security, but the behavior of PHP’s “Type Juggling” feature can be used to bypass password checks using non-standard cookies and cookies, and there are a number of exploits that can be used that way. Additionally, a large number of plugins or various additional components take advantage of loose comparisons for critical functionality. These will generally continue to be used after upgrading to PHP 8, but new vulnerabilities may arise due to this situation.
In addition, during the transition from PHP 7.x to 8, plugin developers and some theme developers may cut the support and leave it idle instead of trying to update the code.
This can be seen in themes and plugins used by fewer websites than in common themes and plugins. Vulnerabilities in plugins and themes abandoned by the developer are usually not fixed. This is also a big security risk.
Another security risk arises from hosts and site owners rather than developers. To run legacy plugins in a healthy way, website owners can remain on older versions of PHP that are insecure.
Apart from all these, some malware also rely on PHP’s functions that have been removed by the fault tolerance feature to hide their intent.
Such malicious files either stop working or betray themselves in the PHP 8 installed environment. Or, over time, it continues to be developed to be compatible by malware authors.
Performance Changes Coming With PHP 8
Another exciting feature and development that comes with PHP 8 is JIT, or literally “Just In Time” compilation. PHP is an interpreted language as you know it. That is, it is not compiled but converted into machine code during operation. For example, an example programming language from others working in this way is Python.
Thanks to the JIT feature, records of frequently used code continue to be kept and if the same code is to be used again, it is optimized accordingly. This provides enormous performance gains in structures where certain functions are used. JIT started to be used in other languages such as JavaScript, and after its addition, it caused the explosion of new applications.
For example, virtual machines that work with the help of JavaScript and interact with the user were unimaginable in the early days of websites. Now it has also become more practical to install pure PHP libraries to perform certain tasks on the server in the past.
Apart from all this, unfortunately, the performance improvement that can and will occur for web content management systems such as WordPress will be minimal. It seems like the average WordPress user or developer will take quite a while to take advantage of this new feature.
Although all these nice features make the developers’ job easier, it is unlikely that these features will be used in future themes and plugins, as backward compatibility on WordPress sites will deteriorate.
How Long Does Developers’ Code Take to Updates for PHP 8?
Each PHP version has an average life cycle of two years. If this cycle includes fixing bugs and closing security vulnerabilities, it could take up to three years.
The PHP 7.4 version was released in November 2019, and it is known that bugs in version 7.4 will be fixed by November 2021. The life cycle will come to an end after the security problems are corrected until November 2022.
Therefore, we can think of November 2022 as the exact expiry date of the PHP 7.x version. From this account, until 2022, web applications must be at least with PHP 8.0 or a more risk-free and up-to-date version.
Result
The full transition to PHP 8 will be the most comprehensive change and transition PHP has ever seen. While there have been changes and innovations worth it for a long time, WordPress site owners and developers may also struggle to adapt in this short time frame.
If you own a website, first check if your themes and plugins are updated properly and even if they can get updates. If there are add-ons that can’t adapt and are abandoned, you can start looking for alternatives.
In summary, in this article, we took a detailed look at how the changes that come with PHP 8 will affect WordPress site owners.