PHP is an extremely popular web programming language that is used by more than 83% of all websites. It is used to power some of the world’s most significant web applications, including Facebook, Wikipedia, Tesla, and Baidu. PHP is also the language that is used to create WordPress.
PHP took a major step forward in 2015 when PHP 7 was released. It is much faster than the previous versions of PHP and includes some much-needed security improvements. This article will take a quick look at PHP 7 and how it improves WordPress security compared to earlier versions of PHP.
PHP 7? Where did PHP 6 go?
The last major version of PHP was PHP 5.6, which was released in 2004. Developers then began working on PHP 6, which was a significant undertaking. One of its core goals was to add Unicode (UTF-16) support. Unfortunately, some development issues impacted the performance of PHP 6, delaying its release.
Some parts of PHP 6 were back-ported into versions of PHP 5. However, PHP 6 could not be released in its entirety because of the performance problems it was experiencing. During this time, many books were published showing elements of PHP 6 that were later scrapped. Releasing the latest version of PHP with the name PHP 6 would have led to some confusion with developers, so the PHP team jumped straight to PHP 7.
The major new features in PHP 7
PHP 7 is a substantial release that includes many changes and performance improvements. It comes with a new version of the Zend engine, which is the open-source scripting engine that interprets PHP code. This new version of the Zend Engine is where many performance gains have been achieved. The major new features found in PHP 7 include:
- Improved performance – PHP 7 has massively improved its bandwidth (requests per second) compared to older versions of PHP. It can handle almost twice the requests per second with less than half of the latency. This can speed up the processing of complex WordPress pages.
- Significantly reduced memory usage – PHP 7 has an improved instruction set. This results in a 75% reduction in the number of commands issued when performing a task. In simple terms, that means PHP 7 will use less CPU and RAM when processing WordPress pages compared to previous versions.
- Type declarations – Programmers have more control over how variables are passed around in their programs, resulting in more secure applications.
- Error handling – PHP 7 changes the way that errors are handled. It makes it easier for programmers to create recoverable errors and to reallocate the resources that the page was using. This change also helps programmers create secure applications and will have an impact on WordPress security.
- Secure random number generator – PHP 7 adds a new Cryptographically Secure PseudoRandom Number Generator (CSPRING). It is an application space external to the kernel, where PHP can safely create secure random numbers.
- New operators – PHP 7 comes with new operators which will give programmers more control over their applications.
This excellent article shares more details on the other changes that come with PHP 7.
How PHP 7 improves WordPress security
Upgrading to PHP 7 from PHP 5.x improves WordPress security in many ways:
There are fewer vulnerabilities in PHP 7
PHP 5.x had dozens of security of security issues that were patched over time. If your web hosting provider is running an older version of PHP 5.x, some of these vulnerabilities might still be present.
The bad news is that many cybercriminals are aware of PHP vulnerabilities and look for WordPress websites running older versions of PHP. 2016 was a record year for PHP security vulnerabilities, and 2017 is also one of the worst years on record. Malicious code execution, Denial-of-service attacks, and memory corruption are all severe vulnerabilities that might compromise your WordPress installation.
Some versions of PHP haven’t been patched in a very long time. Even PHP 5.4, a standard version of PHP that many web servers still use — hasn’t been updated since 2015! The vulnerabilities in older versions of PHP are a compelling reason to upgrade to PHP 7.
PHP 7 makes it harder to write bad code
Many of the changes made to PHP 7 have been done to make it more secure. The changes to error handling and type declarations will result in code that is more robust and written to a higher standard. Coders are less likely to make an error in a plugin or WordPress module that compromises your website.
New tools for serialisation and random numbers
Two more major changes to PHP 7 that affect WordPress security are the serialisation and CSPRING functions. The new unserialize function provides better security when unserialising objects that contain untrusted data. This reduces the risk of code injections, making WordPress and its plugins more secure.
The new Cryptographically Secure PseudoRandom Number Generator (CSPRING) feature allows programmers to create cryptographically secure integers and strings in a cross-platform way. This results in better WordPress core and WordPress plugin security.
Other security-boosting features in PHP 7 include the addition of the Argon2 hashing algorithm and the introduction of Libsodium to the PHP core. These features improve the hashing and encryption capabilities of PHP and WordPress.
Some changes to specific functions have also been made to improve security:
- The create_function function has been marked as depreciated due to security issues and will not be included future releases of PHP.
- The parse_str function now requires a second argument for security reasons.
- The salt option for password_hash function has been deprecated for security reasons.
PHP 5.6 only gets security support until December 2018
Another good reason to switch to PHP 7 for better WordPress security is that support for PHP 5.6 runs out soon. Active support for PHP 5.6 finished on the 19th of January 2017 and security support will finish on the 31st of December 2018. This means any security vulnerabilities in PHP 5.6 that pop up after this date will not be fixed — potentially leaving your website vulnerable.
WordPress recommends PHP 7
If these reasons weren’t compelling enough, you should also be aware that WordPress 4.x is optimised for PHP 7. WordPress 4.x will deliver almost twice the performance on a server running PHP 7.
The WordPress development team recommends that WordPress installations use PHP 7.2 to obtain speed and security advantages. Although WordPress acknowledges that WordPress will still work on older versions of PHP, they warn that previous versions have
“reached official End Of Life and as such may expose your site to security vulnerabilities”.
We hope you enjoyed reading WordPress security enhancement using PHP 7. For more WordPress security articles, please subscribe to the site or follow us on social media.