Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

PHP 8: What WordPress Users Need to Know

This entry was posted in WordPress Security on November 23, 2020 by Ram Gall   18 Replies

PHP 8.0 is set to be released on November 26, 2020. As the programming language powering WordPress sites, PHP’s latest version offers new features that developers will find useful and improvements that promise to greatly enhance security and performance in the long run. It also fully removes a number of previously deprecated functions. PHP 8 is a massive change from previous versions.

In this article, we hope to provide insights detailing what this means for WordPress site owners, including recommended adoption strategies.

Should I upgrade right away?

No. The upcoming major version of WordPress, 5.6, is intended to be “beta compatible with PHP 8” according to the November 18 WordPress dev chat. This means that most core WordPress functionality will work, but unexpected bugs may still occur for some time, even without the presence of additional plugins or themes. WordPress has called for additional testing with PHP 8 in order to find and fix as many remaining bugs as possible.

At Wordfence, our Quality Assurance team is working to ensure that our plugin is compatible with PHP 8 in a variety of environments. Upcoming Wordfence versions will offer a similar level of partial support, though we have additional testing planned to reach full compatibility.

A vast number of WordPress plugins and themes will not be immediately compatible with PHP 8. Those that do not run into fatal errors during normal usage may still show unexpected behavior for some time.

What breaking changes does this include?

Some developers have long argued that PHP is insecure by default. While this is up for debate, it’s true that versions of PHP prior to PHP 8 are more fault tolerant and try very hard to ensure that code will run even if minor errors are present.

PHP 8 uses much stricter typing than previous versions. Many built-in functions are now pickier about the input they accept, and PHP 8 itself is more stringent about how input is passed to functions. Issues that previously resulted in notices now result in warnings, and issues that previously resulted in warnings now result in errors.

In other words, PHP 8 is not as lenient as previous versions. It will not try quite as hard to make code work no matter what.

Some functions and features that were deprecated in PHP 7.x have been completely removed. These include:

  • The $php_errormsg variable
  • The create_function() function
  • The mbstring.func_overload ini directive
  • The real type
  • The allow_url_include ini directive
  • The restore_include_path() function
  • The each() function

While most of these are no longer widely used, we have identified that create_function is still used in over 5,500 WordPress plugins, including extremely popular plugins with millions of installations. In some cases use of these deprecated functions may be intended for backwards compatibility with older versions of PHP. Many plugins, however, will need extensive refactoring as PHP 8 becomes more utilized.

Quite a few plugins and themes also depend heavily on third party libraries. WordPress developers may need to wait until these are updated for compatibility. If these libraries are not maintained or updated for compatibility with PHP 8, it may be necessary to fork these libraries, find alternatives, or even rewrite plugins and themes from the ground up.

For more in-depth information about what’s changed, our friends at Yoast have produced an excellent compatibility report intended for developers looking to ensure their software is compatible.

What security concerns are there?

PHP allows something called “Type Juggling.” This means that it can treat strings containing numbers the same way it treats integers or floats, and can perform math and do comparisons between these different types as long as the loose comparison operator == is used instead of the strict comparison operator ===. For developers, Type Juggling can be very useful and save time when writing code, but it can sometimes lead to unusual behavior.

A classic example of how Type Juggling can cause issues is that comparing 0==”blah” will return true. PHP 8 fixes this type of behavior so that these and similar comparisons (e.g., 0==”0blah”) will return false.

By and large, this will actually improve security. There are a number of exploits that can take advantage of PHP’s Type Juggling behavior to bypass nonstandard cookie, nonce, or password checks. Nonetheless, a large number of plugins use these loose comparisons, sometimes for critical functions. In most cases these will continue to work correctly when using PHP 8, but a few of them might actually rely on incorrect behavior in order to function properly. In a few rare circumstances, this might open up new security holes.

The onus of updating code for compatibility with PHP 8 could prove to be too much for some developers, and many plugins and themes may end up abandoned, though this is less likely to happen for plugins and themes with a large install base. Any security issues in these abandoned plugins and themes would go unpatched, which could prove disastrous.

Likewise, many websites may remain on an insecure version of PHP in order to keep their legacy plugins running.

Finally, certain strains of malware rely on deprecated functions as well as PHP’s fault tolerance in order to obfuscate their intentions. These strains will cease to function or become more noticeable in a PHP 8 environment, but malware authors will adapt in time.

What performance changes are coming?

One potentially exciting feature coming to PHP 8 is JIT, or “Just In Time” compilation. PHP is an interpreted language, meaning that it is translated into machine code as it runs. JIT keeps track of code that’s frequently used and attempts to optimize the machine code translation so that it can be reused. This can result in a massive performance improvement for specific functionality.

The addition of JIT to other languages, such as JavaScript, has historically led to an explosion of new applications. For example, virtual machines running in JavaScript would have been unimaginable in the early days of the web. Certain tasks that would have required a module to be installed on the server in the past will become practical using pure PHP libraries.

For the time being, however, the actual performance improvement for web applications such as WordPress is minimal, and it will take a long time before the average WordPress user or developer reaps the benefits of this new feature.

While there are many other new features to make developers’ lives easier, it is unlikely that these will be used in WordPress plugins and themes for the foreseeable future, as most would break backwards compatibility with earlier versions of PHP still in use by many WordPress sites.

How long do developers have to update?

Each version of PHP has a life cycle of 2 years during which bugs are fixed, and an additional year during which security issues are patched. PHP 7.4 came out in November 2019. As the final version of PHP 7, this means that bugs in PHP 7.4 will be fixed until November of 2021, and security issues will be patched until November of 2022, at which point it will reach its “End of Life”. This means that November 2022 can be considered a hard cutoff date: all PHP code should be compatible with PHP 8.0 at minimum by this time, or risk being stuck on a potentially vulnerable version of PHP.

Conclusion

The transition to PHP 8 is one of the broadest and most impactful changes the language has ever seen. While it will be worth it in the long run, WordPress site owners and developers may be in for a rough ride in the short term. If you’re a website owner, start keeping a watchful eye on which of your plugins and themes are being updated or tested for compatibility and make a plan to replace the ones that aren’t. If you’re a developer, start testing your code and any dependencies on PHP 8, if you’re not already, and start making a plan to fork or replace any libraries that aren’t being updated. The WordPress ecosystem has been through difficult transitions in the past, and our open-source community has always grown and adapted.

Special thanks to QA Lead Matt Rusnak and Lead Developer Matt Barry for their assistance with this article.

Did you enjoy this post? Share it!

18 Comments on "PHP 8: What WordPress Users Need to Know"

Philip Miller November 23, 2020 at 8:27 am

So what's the reason or even advantage of upgrading to PHP 8? Since MS updates Windows 10 every week you can see it is a hopeless battle trying to solve every quirky "bug" or security hole. It's all diminishing returns.

Using good rather simple practices keeps intruders and hackers at bay for the average system.

Risk benefit management says you are chasing your tail.

Ram Gall November 23, 2020 at 10:31 am

Hi Philip,

The advantage of updating for compatibility with PHP 8 is that PHP 7.4 is going to reach end of life in November of 2022 and will no longer see security updates. That means that if some sort of critical vulnerability is found in PHP7.4 after this time, all the systems running that version will be vulnerable. It's true that risks should be triaged according to both likelihood and potential impact, but that calculation has a tendency to change unexpectedly as new information becomes available. Likewise, while using simple best practices does work, keeping software up to date is probably the most important simple practice you can use. Weekly Windows 10 updates are an excellent example of how important this is - several of the most recent patch Tuesdays have included patches for actively-exploited 0-days. Security does require ongoing effort, but that effort is worth it.

Wil November 23, 2020 at 4:00 pm

Hi Ram, While I totally agree that upgrading gets you on the fully maintained PHP branch and that's a good thing, I am certain that if a critical vulnerability is found in the 7.4 branch it will be patched just like it has been for 5.6.x (which is now at 5.6.40), for a considerable time until it's in minority use.

Ram Gall November 24, 2020 at 6:29 am

Hi Wil,

You're likely correct on this - any sufficiently bad PHP 7.4 vulnerabilities will probably end up getting patches for a while, even after EOL. PHP 5.6 effectively ended up getting an extra year of security patches. Even so, it's been almost 2 years since 5.6.40 came out and there's a few vulnerabilities in it that are never going to get patched, including a high-severity overflow vulnerability. Developers do have time to deal with this - it can be put off, just not forever.

William December 4, 2020 at 10:11 pm

keep in mind for LTS versions of Linux..like Centos 8 and ubuntu 20.04LTS..will keep 7.4 around until their own eol by a process called backporting. It's been done these vendors for more than a decade.

David November 23, 2020 at 9:13 am

Thanks for sharing this useful information!!!

Kate November 23, 2020 at 10:45 am

Thank you, Ram.
Would you advise that I get the plugin which disables updates to temporarily stop Wordpress updating to the new version? Mine just does it automatically at the moment.

Ram Gall November 23, 2020 at 11:23 am

Hi Kate,

Not to worry, WordPress automatic updates will not change your PHP version, so there's no need to disable WordPress updates. Likewise, most hosting providers won't change your PHP version automatically - you'd need to go into your hosting control panel to do so. Most hosting providers will likely take a few months at least to make PHP 8.0 available as well.

Joseph Quinn November 23, 2020 at 12:22 pm

I believe siteground is already allowing you to test php 8, but it's not recommended on a production site.

David November 23, 2020 at 2:29 pm

Thanks for a very informative article!

It would be very useful if Wordpress.org not only detailed FROM which PHP version, but also UP TO which PHP version, each plugin has been tested. For example, the Wordfence plugin (https://wordpress.org/plugins/wordfence/) details "PHP Version: 5.3 or higher". Or how else will we know when the plugins we are using have been updated to work with PHP 8?

Wil November 23, 2020 at 4:08 pm

Hi David,
I guess in a way, WordPress themes and plugins are kind of decoupled directly from PHP as they are considered extensions of the core WordPress app.

So theme and plugin authors should be maintaining their code to align with whatever PHP version the core WordPress app is recommended to run on.

WordPress has a "Requirements" section on the /download page on wordpress.org. It currently recommends using PHP 7.4.

As WordPress 5.6 is released and patched, the recommended PHP version will likely be changed to some 8.x version and hence new theme and plugin authors should be creating their extensions to align with that PHP version.

David W. November 23, 2020 at 4:08 pm

Thanks for this useful information. Beside the security part, will there be any speed improvements for sites using PHP 8?

Ram Gall November 24, 2020 at 6:39 am

Hi David,

There was a massive speed improvement from PHP 5.6 to 7.0 and a smaller, but still significant improvement in each new version of 7.x, especially 7.2->7.3. In other words, if you're coming from anything apart from 7.4 you'll likely notice a speed improvement. While JIT doesn't promise a lot of improved performance for web applications, early testing still seems to indicate that the performance improvement is likely to be similar to what we saw from 7.2->7.3, though most of this is probably due to other optimizations.

Cheryl November 24, 2020 at 1:32 am

Thank you very much for this article and advice to Wordpress site owners. You've managed to explain what is quite technical into something regular users can prepare for. Thank you.

Ryan M November 24, 2020 at 11:57 am

Thanks great info.✌️

Kurt December 1, 2020 at 4:50 pm

Good info to know. Thank you for sharing.

Atul Host December 3, 2020 at 2:00 pm

PHP8 is definitely impressive in terms of performance, but the code is totally new and incompatible with earlier ones. I'll not recommend WordPress users to switch to the latest updates asap. Please wait for the first few initial weeks, let the early adopters try it and fix everything. Many hosting companies are already pushed PHP8 in their library but stick to the PHp7.4 and WP 5.5.3 for some time.

Minh Hieu December 4, 2020 at 7:17 am

Added to my knowledge! Very good article, thank!

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates