PHP Security

PHP 8.4: Issues to Check Before Upgrading

PHP 8.4 is a strong upgrade target for many production sites, but old plugins, themes, packages, and hosting settings still need testing.

By Fixnx Security TeamReviewed by Fixnx Security Team
Fixnx PHP 8.4 upgrade guide

Quick answer

PHP 8.4 is actively supported and has recent security releases. Before upgrading, test WordPress, plugins, themes, custom code, PHP extensions, logs, payments, forms, and background jobs.

Only scan websites you own or have explicit permission to test. Fixnx is built for defensive security checks and website protection. Unauthorized scanning may be illegal.

PHP 8.4 is a practical target for many production websites because it is modern, supported, and widely available on hosting platforms. It is also less bleeding-edge than PHP 8.5 for teams that want a careful middle step.

According to php.net, PHP 8.4 was released on November 21, 2024. Official support tables show active support until December 31, 2026 and security support until December 31, 2028.

PHP 8.4 version snapshot

The PHP news archive lists PHP 8.4.23 as a security release on July 2, 2026. All PHP 8.4 users were encouraged by the PHP project to upgrade to that patch release.

For WordPress and WooCommerce sites, PHP 8.4 is often a good target when PHP 8.5 is not yet supported by every plugin or host.

  • Initial release: November 21, 2024.
  • Active support until: December 31, 2026.
  • Security support until: December 31, 2028.
  • Recent patch: PHP 8.4.23 security release.

PHP 8.4 issues to check

The common PHP 8.4 risk is not the core language. It is older code that was never tested against PHP 8.4.

This matters most for WordPress sites with custom themes, old page builders, old WooCommerce extensions, old composer packages, or private plugins.

  • Deprecated code may fill logs or break strict environments.
  • Custom themes may rely on old dynamic behavior.
  • Plugins can fail if required PHP extensions are missing.
  • Image processing, email, payments, caching, and background tasks need real tests.
  • Public error display must stay off in production.

Safe PHP 8.4 upgrade checklist

  1. Create a staging copy of production.
  2. Update WordPress, plugins, themes, and composer packages first.
  3. Switch staging to PHP 8.4 and check logs.
  4. Test forms, checkout, login, uploads, cron, email, and API calls.
  5. Confirm required extensions such as curl, intl, mbstring, opcache, and imagick.
  6. Schedule production upgrade during low traffic.
  7. Monitor error logs and run a Fixnx scan after release.

Example Fixnx finding

A Fixnx scan after a PHP 8.4 upgrade might show better response timing but also reveal public PHP warnings on one form endpoint.

That is a sign that the runtime upgrade worked, but one plugin or custom code path still needs repair.

  • Evidence: warning text visible in HTML.
  • Impact: server paths and plugin names may leak.
  • Fix: patch the source, disable public display_errors, and retest.
  • Follow-up: monitor logs for the same warning after traffic returns.

What to fix first

  1. Fix fatal errors and public warnings first.
  2. Patch payment, form, login, and upload workflows.
  3. Update unsupported plugins and composer packages.
  4. Verify PHP extensions and opcache settings.
  5. Then tune performance and cache behavior.

Recommended next steps

Trusted external resources

FAQ

Is PHP 8.4 still supported?

Yes. Official PHP support tables show PHP 8.4 in active support until December 31, 2026 and security support until December 31, 2028.

Is PHP 8.4 safe for WordPress?

PHP 8.4 can be a good WordPress target when the host, plugins, themes, and custom code support it. Test first.

What is the latest PHP 8.4 patch in July 2026?

The PHP news archive lists PHP 8.4.23 as a security release on July 2, 2026.

What breaks most often on PHP 8.4?

Old plugins, themes, custom code, missing extensions, and composer packages are the most common trouble spots.

Check your site after moving to PHP 8.4

Run a Fixnx scan after the PHP change to catch public errors, headers, SEO drift, and exposed files.

Only scan websites you own or have explicit permission to test. Fixnx is built for defensive security checks and website protection. Unauthorized scanning may be illegal.