We explain some of the innovations that come with PHP 8.0 and what WordPress users should know before they start using it.
The PHP 8.0 version, released on November 26, 2020, is the latest version of PHP powered by WordPress sites. This new update in the language came with many new features that will benefit developers and changes that will increase security in the long term.
The most obvious of these changes is the removal of some functions. There are much bigger changes in PHP 8 version compared to previous versions. In this article, let’s take a look at the sensitive points and suggestions stated in the article of Wordfence Security, which has been in the industry for years and is known for its plugins.
Should I Upgrade to PHP 8 Now?
You should not upgrade your current WordPress until stable support is available. According to the interview made by WordPress developers on November 18, it is planned to be compatible with PHP 8 in beta with version 5.6. Currently, there are a number of problems, even though the most recent version released recently, WordPress 5.6 and PHP 8 support. Even if the basic WordPress functions work in the beta version, there may be some problems such as unknown errors and theme corruption for a while. Taking this into account in WordPress, it started running additional tests using PHP 8 so that errors could be tested and fixed as quickly as possible.
If you are currently using one of the WordFence Security plugins, work is underway for compatibility with PHP 8. According to the developer’s statement on their blog, partial compatibility and support will be offered, but additional tests are required to ensure stable use and full compatibility.
Apart from all these, we would like to emphasize that many WordPress themes and plugins will not be compatible with PHP 8 version immediately. Even if nothing seems to be a problem with normal use, negative things can be happening in the background. On the other hand, we expect the 5.7 version of WordPress to be fully compatible with PHP 8, which will probably be released in March 2020 and PHP 8.0.1 will have been released and the first bugs will have been fixed.
What Major Changes Does PHP 8 Contain?
Some of the developers have long thought that PHP is much less secure than some other alternatives. This is still a controversial issue as it is difficult to understand how secure or unsafe any programming language / web programming language is in terms of security. However, looking at PHP versions prior to PHP 8, the new version is not as tolerant of some code errors as the old ones. In case of minor bugs in older versions, the codes could continue to work depending on what the bug was. Security is thought to be a little tighter because of this.
The PHP 8 version is also starting to use a much stiffer script type compared to other PHP versions. More attention is now being paid to the loops that functions accept and execute, and how the inputs received from the user are evaluated becomes more important. Warnings arise rather than problems that previously manifested themselves in various notifications. Those that appear as warnings are now directly shown as errors. Thus, the code structure is made cleaner and better.
In summary, we can say that the PHP 8 version does not have a very flexible structure compared to other versions. Running the faulty code was not that difficult in previous versions.
In addition, some functions and various features that were removed by PHP 7.x version are being removed more precisely, this time with PHP 8:
- $ php_errormsg variable
- create_function () function
- mbstring.func_overload ini directive
- real tip
- The allow_url_include ini directive
- restore_include_path () function
- each () function
How Will WordPress Plugins and Themes Affect?
While we know that these variables, functions and directives are not used much anymore, according to research by Wordfence, there are some 5,000 popular WordPress plugins that use create_function and are used by millions of websites. In this case, you are likely to experience problems if you upgrade. However, in some cases their use may be permitted for compatibility with older PHP versions. Regardless, many extensions will unfortunately cause problems if they are not configured extensively in the transition to PHP 8.
Very few plugins and themes also often make use of third-party libraries. WordPress developers can wait a while for these to be updated as well for compatibility. If these libraries are not updated to be compatible with PHP 8, it may be necessary to use alternatives to these libraries or even write themes and extensions from scratch to be PHP 8 compatible.
Some recommendations and compatibility reports were prepared by the developers of the Yoast SEO plugin on what should be done by other developers during this transition. If you are a developer, we strongly recommend that you read it.
Security Concerns About PHP 8
Although many functions and features that cause problems in terms of security have been removed with PHP 8 as stated in the previous paragraphs, various errors and flaws must be taken into account, as is the case with everything human handled. Such concerns are expressed after each new version is released.
PHP allows something called “Type Juggling”. With this feature, you can use the operator to compare strings containing numbers in the same way as integers or decimals.
== If it is used, it means that mathematical comparison can be made between these two different types. While this can be intrinsically beneficial for many developers, it can sometimes lead to unusual behavior in the software.
The WordFence article thoroughly discussed why Type Juggling can cause problems. Is a classic example
0==”blah” the value of
true When returning as, PHP 8 may cause errors when trying to streamline such behavior for fixing purposes. for example
false can be returned as.
Basically this will increase security, but the behavior of PHP’s “Type Juggling” feature can be used to bypass password checks using non-standard cookies and cookies, and there are a number of exploits that can be used that way. In addition, a large number of plugins or various additional components take advantage of loose comparisons for critical functionality. These will generally continue to be used after upgrading to PHP 8, but new vulnerabilities may arise due to this situation.
In addition, during the transition from PHP 7.x to 8, plugin developers and some theme developers may cut support and leave it idle, instead of struggling to update code. This can be seen in themes and plugins used by fewer websites than in common themes and plugins. Vulnerabilities in plugins and themes abandoned by the developer are generally not fixed. This is also a big security risk.
Another security risk arises from hosts and site owners rather than developers. To run legacy plugins in a healthy way, website owners can remain on older versions of PHP that are insecure. Apart from all these, some malware also rely on PHP’s functions that have been removed by the fault tolerance feature to hide their intentions. Such malicious files either stop working in PHP 8 installed environment or betray themselves. Or, over time, it continues to be developed to be compatible by malware authors.
Performance Changes Coming With PHP 8
Another exciting feature and development that comes with PHP 8 is JIT, or “Just In Time” compilation. PHP is an interpreted language as you know it. That is, it is not compiled, but converted into machine code during operation. For example, an example programming language from others working in this way is Python.
All this aside, unfortunately, the performance improvement that can and will occur for web content management systems such as WordPress will be minimal. It seems like the average WordPress user or developer will take quite a while to take advantage of this new feature. Although all these nice features make the developers’ job easier, it is unlikely that these features will be used in future themes and plugins, as backward compatibility on WordPress sites will deteriorate.
How Long Does Developers’ Code Take to Updates for PHP 8?
Each PHP version has an average life cycle of two years. If this cycle includes fixing bugs and closing security vulnerabilities, it could take up to three years. The PHP 7.4 version was released in November 2019 and it is known that the bugs in version 7.4 will be fixed by November 2021. By November 2022, once the security problems are fixed, the life cycle will come to an end. Therefore, we can think of November 2022 as the exact expiry date of the PHP 7.x version. From this account, until 2022, web applications must be at least PHP 8.0 or more risk-free and support the current version.
The full transition to PHP 8 will be the most comprehensive change and transition PHP has ever seen. While there have only been changes and innovations worth it over the long term, WordPress site owners and developers may also find it difficult to adapt in this short period of time. If you are a website owner, first check if your themes and plugins are updated properly and even if they can get updates. If there are add-ons that can’t adapt and are abandoned, you can start looking for alternatives.
In summary, in this article, we took a detailed look at how the changes that come with PHP 8 will affect WordPress site owners. If you have questions, you can open a topic on Technopat Sosyal, and if there is something you want to add, you can specify it in the comments.