The latest updates to PHP version 7 include important security improvements, performance enhancements, and exciting new features. To see a baseline infographic of version 7 capabilities, see Fasthosts’ helpful guide here.
Libsodium is Part of the Core
The application-layer cryptography library Libsodium is now part of the core in PHP 7.2. Previously, the library was made available through PECL, another recursive acronym meaning “PHP Extension Community Library.” The inclusion of Libsodium makes PHP the first programming language to add modern cryptography to its standard library. This ensures the cross-platform and cross-language library enables encryption, decryption, signatures, password hashing, and much more.
Argon 2 in Password Hash
Argon 2 is an award-winning hashing algorithm. It won the 2015 Password Hashing Competition, bringing a secure alternative to the Bcrypt algorithm on the previous version of PHP. It is designed for the highest memory filling rate and effective use multiple computing units while still providing defense against tradeoff attacks. Bcrypt only allows for one cost factor, whereas Argon 2 takes three cost factors: memory cost, time cost, and parallelism factor. The memory cost factor defines the number of KiB that should be consumed during hashing, while the time cost defines the number of iterations of the hashtag algorithm. The parallelism factor sets the number of parallel threads that will be used during the hashtag. See more information on how Argon 2 addresses these factors here.
Performance
According to benchmarks from Phoronix, PHP 7.2 runs 13% faster than 7.1 and 20% faster than 7.0. It’s 250% faster than PHP 5.6, which over 40% of WordPress users still have not updated from. Other tests support these findings. Official PHP benchmarks demonstrate that PHP 7 is twice as fast as 5.6 with half the latency, while Kinsta’s benchmarks show it to be three times as fast.
Deprecations
As with each update, there are several deprecated functions and features which will be removed no later than PHP 8.0. The full of list deprecated functions can be found here. These features will work in PHP 7.2, but error messages will appear during use in log files. Developers should check the code to update any deprecated functions before they become backwards incompatible.
Support
PHP 7.0 reached the end of its security support on December 3rd, 2017. Critical support will still be available through the end of 2018, but the PHP community no longer provides support for bugs or minor issues. PHP 7.1 will follow suit on December 1st, 2018. Upgrading to 7.2 ensures the latest security updates are supported continuously by the community.
With vital security updates, Libsodium in the core, and vastly improved performance features migrating from older versions of PHP to PHP 7.2 is an easy and important update.