Everything the WordPress Users Must Know About PHP 8
9 Feb 2021
- Eclick Softwares and Solutions
The latest version of PHP is offering new features for developers that are much useful. With the help of these features, the WordPress developer can improve the WordPress sites which ensures to enhance more security and better performance in the long run. The new features of PHP 8 even completely remove several earlier deprecated functionalities.
Hence, PHP 8 is the major change from its previous versions.
Now we shall look at insights signifying its meaning for the WordPress site owner, which include the strategies to be adopted as per recommendation.
Should WordPress Site be Right Away Upgraded?
Not necessary. WordPress, 5.6's upcoming version intends to be "beta compatible with PHP 8", as stated by November 18 WordPress dev chat. It states many-core WordPress functions will be working, while a few unexpected bugs could still periodically come up, despite no presence of the extra plugins and themes. WordPress had commenced for more testing with PHP for finding out and fixing many remaining bugs as much as possible.
Many WordPress plugins and themes are not going to be immediately compatible with PHP. The ones not running to fatal errors at the time of normal usage could still display a few unexpected behaviors for a brief time.
What Are the Breaking Changes Included in this Sector?
A few developers have been into debates about PHP being insecure by default. It could welcome debate and it's for the versions of PH before the PHP had been fault-tolerant to a greater extent and take steps for ensuring the code is running despite the minor errors being present.
PHP 8 uses more strict typing compared to the previous versions. Most in-built functionalities can now be chosen regarding their input acceptabilities. PHP 8 is highly stringent regarding the way inputs are passed to functionalities. Previously issues had resulted in notices and now result in warnings. Earlier, there were issues about warnings and now result in errors.
In simple words, compared to the previous versions, PHP 8 is not that lenient. PHP 8 will not be trying for making the code work. A few noteworthy functions and features deprecated in PHP 7.x are now entirely removed. These changes include -
• The create_function ( ) function
• The real type
• the $php_errormsg variable
• The mbstring_func_overload ini directive
• The allow_url_include ini directive
• The restore_include_path ( ) function
• The each ( ) function
Since a number of them are not used widely, so the create_function is identified. It is being used in over 5,500 WordPress plugins – which include the highly popular plugins having millions of installations. In a few cases, using these deprecated functions could be intended for backward compatibility with PHP's older versions. Most plugins will be needing extensive refactoring with PHP 8 becoming more utilized.
Some plugins and themes even depend a lot on third-party libraries. At this point, the WordPress developers might have to wait till these have been updated for compatibility. With the libraries not being updated and maintained for compatibility with PHP 8, it could be a necessity for forking these libraries, finding the alternatives, and even rewriting the plugins and themes from the start.
The Pointed Out Security Concerns
PHP allows "Type Juggling", meaning it is able to treat the strings containing numbers in the same way the floats or integers have been treated, and will be able to calculate and make comparisons between these different types till the loose comparison operator == has been used other than the strict comparison operator ===.
Type Juggling is very useful for the developers and helps to save time while writing the code. At the same time, it could lead to different behaviors.
Let us consider an example regarding the way Type Juggling is likely to cause issues by comparing 0==“blah” will be returning true.
PHP 8 is able to fix these behavior types for these and even similar comparisons (for instance, 0==“0blah” ) will come up as false.
To a greater extent, this will be improving security. Several exploits are likely to take advantage of PHP's Type Juggling behavior for bypassing the nonstandard cookie, password checks, or nonce. Apart from that, many plugins are using these loose comparisons, often for critical functions. But in most cases, these will go on working correctly at the time of using PHP 8. Some of them could rely on the wrong behavior for proper functioning. But in rare situations, this could create new security holes.
The responsibility to update the codes for PHP 8 compatibility, proves excessive to some developers, and most plugins and themes could end up being abandoned. But this is likely to be rare for the plugins and themes having a large install base.
The security issues found in all these abandoned plugins and themes will be unpatched, hence proving disastrous.
Similarly, most websites might continue to be an insecure PHP version so that their legacy plugins keep on running.
In the end, particular malware strains depend on the deprecated functions and even for PHP's fault tolerance for obfuscating their intentions. But these strains will discontinue their functionalities and become better noticeable in the PHP 8 environment, with malware authors adapting with time.
For How Long Should the WordPress Developer Update?
Each PHP version is having a 2 years life cycle when the bugs are fixed, along with an additional year when the security issues are botched. PHP 7.4 was invented in November 2019. Being PHP 7's final version means the bugs present in PHP 7.4 will be fixed till November 2021, while until 2022 its security issues will be all patched when it shall meet with its finality. So, November 2022 could be regarded as the hard cutoff date - all the PHP code must be compatible with the PHP 8.0 by this time. Or else, there will be risks of being stuck on the potentially vulnerable PHP versions.
Getting transitioned to PHP 8 is the broad and highly impactful change ever witnessed by the language. This transition is highly worthy in the long run, and the WordPress site developers might have to go on with a huge ride in its very short term. Being the website owner, one has to be careful of the plugins and themes being updated and tested for ensuring compatibility. Likewise, a plan should be framed for replacing the ones not compatible. Being the developer, you have to test your code along with the dependencies on PHP 8. Make a plan for forking or replacing the libraries not being updated. The entire WordPress had undergone difficult transitions earlier with the open-source communities always growing and adapting.