Article read time - 4 minutes

As the programming language powering WordPress sites, PHP’s latest version offers a lot of new features that developers will find useful and improvements that promise to enhance security and performance in the long run greatly. It also thoroughly removes several previously deprecated functions. PHP 8 is, without a doubt, a massive change from earlier versions.

This article hopes to provide insights detailing what this means for WordPress site owners, including recommended adoption strategies.

Should I upgrade immediately?

In short, no. According to the November 18 WordPress dev chat, the upcoming major version of WordPress, 5.6, is intended to be “beta compatible with PHP 8”. This suggests that most core WordPress functionality will work, but unexpected bugs may still happen for some time, even without the presence of any extra plugins or even themes. WordPress has also called additional testing, with PHP 8, to find and fix as many remaining bugs as possible.

As you might already know, a vast number of WordPress plugins and themes will not be instantly compatible with PHP 8. The plugins that do not run into fatal errors during normal usage may later show unexpected behavior for some time.

What breaking changes does this include?

It has been argued by some developers that PHP has been insecure by default for a very long time. While this might be up for debate, PHP versions before PHP 8 are more fault-tolerant and try very hard to ensure that code will run even if some small errors are present.

Previous versions have used less strict typing than PHP 8. Several built-in functions are now pickier about the input they accept, and PHP 8 itself is more potent about how information is passed to functions. Problems that previously resulted in notices directly result in warnings, and issues that yet resulted in warnings now result in errors.

PHP 8 is not as lenient as previous versions. It will not try quite as hard to make code work no matter what.

Some functions and features that were deprecated in PHP 7.x have been completely removed. These include:

  • The $php_errormsg variable
  • The create_function() function
  • The mbstring.func_overload ini directive
  • The real type
  • The allow_url_include ini directive
  • The restore_include_path() function
  • The each() function

While most of these are no longer widely used, we have identified that create_function is still used in over 5,500 WordPress plugins, including top-rated plugins with millions of installations. In some cases, the use of these deprecated functions may be intended for backward compatibility with older PHP versions. Many plugins, however, will need extensive refactoring as PHP 8 becomes more utilized.

Quite a few plugins and themes also depend heavily on third-party libraries. WordPress developers may need to wait until these are updated for compatibility. Suppose these libraries are not maintained or updated for compatibility with PHP 8. In that case, it may be necessary to fork these libraries, find alternatives, or even rewrite plugins and themes from the ground up.

For more in-depth information about what’s changed, our friends at Yoast have produced an excellent compatibility report intended for developers looking to ensure their software is compatible.

What security concerns are there?

PHP allows something called “Type Juggling.” This means that it can treat strings containing numbers the same way it treats integers or floats, and can perform math and do comparisons between these different types as long as the loose comparison operator == is used instead of the strict comparison operator ===. For developers, Type Juggling can be very useful and save time when writing code, but it can sometimes lead to unusual behavior.

A classic example of how Type Juggling can cause issues is that comparing 0==”blah” will return true. PHP 8 fixes this type of behavior to return false these and similar comparisons (e.g., 0==”0blah”).

By and large, this will improve security. Several exploits can take advantage of PHP’s Type Juggling behavior to bypass nonstandard cookie, nonce, or password checks. Nonetheless, a large number of plugins use these loose comparisons, sometimes for critical functions. In most cases, these will continue to work correctly when using PHP 8, but a few of them might rely on incorrect behavior to function correctly. In a few rare circumstances, this might open up new security holes.

The onus of updating code for compatibility with PHP 8 could prove too much for some developers, and many plugins and themes may end up abandoned, though this is less likely to happen for plugins and themes with a large install base. Any security issues in these abandoned plugins and themes would go unpatched, which could prove disastrous.

Likewise, many websites may remain on an insecure version of PHP to keep their legacy plugins running.

Finally, certain malware strains rely on deprecated functions, and PHP’s fault tolerance to obfuscate their intentions. These strains will cease to function or become more noticeable in a PHP 8 environment, but malware authors will adapt in time.

What performance changes are coming?

One potentially exciting feature coming to PHP 8 is JIT, or “Just In Time” compilation. PHP is an interpreted language, meaning that it is translated into machine code as it runs. JIT keeps track of code that’s frequently used and attempts to optimize the machine code translation to be reused. This can result in a massive performance improvement for specific functionality.

For the time being, however, the actual performance improvement for web applications such as WordPress is minimal, and it will take a long time before the average WordPress user or developer reaps the benefits of this new feature.

Leave a Reply
Comment policy: We value comments and the time that visitors to our blog spend to give feedback. Please note that all comments are manually moderated and any deemed to be spam or promotional will be deleted.