Behind every official PHP for Windows release is a lot of infrastructure: compilers, SDKs, dependency libraries, extension compatibility, CI pipelines, and security updates that keep the supported PHP versions working.

As part of my work for The PHP Foundation, the focus has been on the Windows side of PHP: maintaining and improving the build infrastructure, updating dependencies, supporting extension builds, and making the process more reliable for current and future PHP releases.

This post is a look at that work, why it matters, and what goes into keeping PHP healthy on Windows.

Why Windows support still matters

PHP is widely used on Linux, as the most common use case is running web applications, but Windows support remains important for several reasons.

Many developers use Windows as their local development environment, and many companies run PHP applications on Windows servers. A lot of users depend on it for local testing environments, CLI tooling, and extensions that must work reliably on Windows. As per the Stack Overflow annual developer survey in 2025 close to 50% of respondents use Windows for development.

Official PHP builds for Windows matter because they provide a trusted baseline and are part of the PHP project’s release process.

That means Windows support is not only about producing the final PHP build. It is about maintaining the full chain that makes a reliable PHP runtime possible.

The build system is now a toolchain

Building PHP on Windows is very different from building PHP on Unix-like systems.

On Linux and macOS, building PHP usually depends on package managers for dependencies and easy-to-use popular build toolchains. On Windows, PHP uses a separate build system built around MSVC, Windows SDK that handles various MSVC versions, custom build scripts, and custom prebuilt dependencies with patches specific to PHP.

A PHP Windows build needs to know:

• Which Visual Studio toolset to use
• Which Windows SDK to target
• Which dependency packages are available
• Which library versions are compatible with each PHP branch
• Whether a build is x64, x86, thread-safe, non-thread-safe, debug, or release

A major part of my work has been consolidating this into a modern toolchain: php/php-windows-builder.

PHP extension builds for Windows

We started with the purpose of making it easier to build PHP extensions on Windows. The goal was giving extension authors a path to produce builds that are compatible with the newer PIE direction. But because this new way of distribution for PHP’s extensions using PIE is still evolving, we also revived Windows builds for extension releases on PECL. As part of that, we have released builds for more than 100 actively maintained extensions.

That matters because Windows extension builds have historically been challenging for maintainers. Extension authors often do not have the full Windows build environment locally, and many contributors are more familiar with Linux-based workflows. A builder with a unified interface with known inputs gives the ecosystem a common place to test, debug, and improve Windows builds.

- name: Build the extension
  uses: php/php-windows-builder/extension@v1
  with:
    extension-url: https://github.com/xdebug/xdebug
    extension-ref: '3.5.3'
    php-version: '8.5'
    ts: nts
    arch: x64
    args: --with-xdebug
    libs: zlib

This is not only about convenience. It changes what is possible. For most extensions, building for Windows is as easy as copying one of the example workflows we have.

Automating Windows release builds

In addition to improving support for building PHP extensions, we also improved how the PHP runtime is built and maintained on Windows. We now have automated workflows in php/php-windows-builder that build PHP on new tags in php/php-src, run tests, deploy them to the downloads server, and make them available on the PHP website. This is a huge improvement on what used to be a manual process with delays, where the builds were run manually by one person in the Windows team and tested after publishing.

Dependency updates and testing

As part of the PHP build infrastructure improvements, we also created a test bench workflow. It allows us to build PHP with unpublished builds of PHP dependencies directly from GitHub workflow artifacts rather than fetching them from the PHP servers. That allows us to test dependency updates.

Before this test-bench infrastructure existed, some dependency updates were delayed or avoided because testing them properly on Windows was too slow, too manual, or too challenging. With a dedicated builder and test bench, dependency updates can be tested more quickly across PHP branches and configurations. That helps us move faster on both compatibility and security work.

PHP 8.0 through PHP 8.3 use the Visual Studio 2019 toolset, while newer versions such as PHP 8.4 and PHP 8.5 use the Visual Studio 2022 toolset. PHP 8.6 will use the Visual Studio 2026 toolset. These transitions sound simple, but in practice they affect compiler flags, dependency builds, extension compatibility, CI base images, and long-term support decisions.

Keeping this working means constantly testing combinations of PHP branches, Visual Studio versions, and dependency packages. php/php-windows-builder gives us a structured way to do that instead of relying on one-off manual builds.

Security work: CVEs, dependency updates, and backported fixes

A big part of maintaining PHP for Windows is security work.

That often means updating the dependency libraries that PHP and its extensions rely on when they receive CVE fixes or when new features demand it. These include libraries such as libcurl, OpenSSL, ICU, SQLite, libxml2, libjpeg, and more than 40 others.

When one of these libraries fixes a vulnerability, the Windows dependency stack has to be reviewed, rebuilt, and tested. The work is not as simple as bumping a version number.

A new dependency release can change ABI behavior, remove APIs, require another dependency to be rebuilt, expose new compiler warnings, or break an extension that used to compile cleanly.

For example, updating OpenSSL requires rebuilding curl and other libraries that depend on it. Updating ICU can introduce MSVC warnings or header-level changes that affect the intl extension. Updating Apache has to be evaluated carefully because PHP’s Apache module needs to remain compatible with the wider Windows ecosystem, including users running third-party installers lacking maintainers, but still have a large user-base.

There is also backporting work. Sometimes the safest path for a supported PHP branch is not to move an entire dependency stack forward, but to apply or adapt targeted security patches. That means reviewing upstream fixes, checking whether they apply cleanly to the version used by PHP for Windows, rebuilding the affected library, and validating that the patched build remains compatible with PHP and its extensions.

This balance matters. We want users to receive security fixes quickly, but we also need to avoid introducing regressions into supported PHP releases. Security maintenance on Windows is therefore a careful process of tracking CVEs, reviewing upstream changes, rebuilding dependencies, backporting fixes where appropriate, and validating the result through PHP’s test suites and real extension builds.

This is one of the less visible parts of the work, but also one of the most important. A secure PHP runtime depends not only on PHP source code but also on the native libraries that are shipped with it.

As part of this process, we updated these dependencies addressing a number of security issues reported for them over the last year.

We also refreshed these dependencies to newer releases for bug fixes and new features.

CI has become essential

Modern PHP Windows work depends heavily on CI.

It is not enough to build PHP once locally and release it. We need repeatable testing across branches, architectures, dependency versions, and runtime combinations.

As part of php/php-windows-builder, we now have a GitHub Actions-based approach to building PHP and its extensions; this is an improvement from the early days of building these on the Windows machine provided by Microsoft.

Preparing for the future

Windows support also has to look ahead.

One major area is architecture support. Historically, PHP for Windows has shipped x86 and x64 builds. But the value of x86 support continues to decrease as modern Windows systems are overwhelmingly 64-bit, while interest in ARM64 is growing.

That creates an important long-term question: what should the official PHP Windows build matrix look like in the future?

Dropping x86 and investing in ARM64 may make more sense for future versions. But that kind of decision cannot be made casually. It requires understanding who still depends on x86, what compatibility is actually being preserved, and what new users would benefit from ARM64 builds.

Part of the job is to make these transitions possible before they become urgent.

In closing

Open source maintenance is invisible by design. If everything goes well, users do not notice that a dependency was rebuilt, a compiler issue was fixed, an extension was patched, or a CI workflow was improved. They just download PHP and continue working.

That is the goal.

But it is also why it is worth talking about this work occasionally. The reliability of a project like PHP depends on many layers of maintenance that happen outside the spotlight.

The Windows side of PHP has its own set of challenges, and continuing to invest in it helps keep PHP accessible to more developers, more environments, and more use cases.

After a brief set-up period, I jumped into three main activities:

• assessing PHP community members' most pressing needs
• assembling a team of volunteers to help
• applying the resources granted to scan PHP ecosystem projects

Setup included getting started with building collaborative toolchains, ensuring access to scanning budgets and models, defining our metrics for reporting, and identifying effective ways to distribute security vulnerability findings and to support maintainers.

So far we talked to 35 project maintainers about our project scanning efforts and the security concerns they have. We shared hundreds of potential security vulnerability findings, leading to nearly a hundred publicly available fixes across the ecosystem already, and many great and useful conversations.

Additionally there were mass fixes of the same finding across many repositories. For example, in one case, we had around 200 repositories apply the same fix to their GitHub Actions as they are managed via a central template. I didn’t want to inflate the numbers so these instances are counted as a single fix.

In total, we scanned and rescanned over 300 of the most downloaded Composer packages and nearly all big frameworks. We got in touch with the respective maintainers or found people to jump in and help address security vulnerabilities where that was needed.

I want to extend a personal thank you to Graham Campbell, who has been very helpful in getting me started with ideas and initial issue validation in the first couple of days of my new role and who has continued to be responsive and helpful with solving issues in other projects.

Current efforts

Project scanning for security vulnerabilities continues at a steady pace to make the most use of the resources we've been provided with. We do not only search for vulnerabilities, but also help triage, reproduce issues, help with impact analysis, and where necessary supply fixes by using our access to AI models and their extended “Cyber” capabilities.

I will continue to talk to everyone who approaches me while providing a steady flow of public-facing communication about our efforts.

All maintainers who approached me so far were kind enough to offer to validate the generated findings themselves. I was able to focus primarily on generating reproducers and letting the experts figure out whether a particular finding represents a security issue, a bugfix, or an invalid report. The maintainers in these cases were handling their own reporting and disclosure on their own terms and in a way that fits their timeline.

I’m personally delighted by the great community response, both quantitatively and qualitatively: Nearly everyone has been supportive and I encountered only one negative maintainer interaction and one person we are still looking to get in touch with. I couldn’t be happier with the maturity, readiness and friendliness of the wider community. I didn’t expect anything else from PHP, but it’s great to be proven right.

Shared tooling: Scrutineer

When scanning many projects, we face challenges: Getting reproducible and reliable outputs, avoiding false positives, and using our resources effectively without duplicating work, all while allowing each person scanning to run multiple agents in parallel without human interaction during the initial scanning process. Security analysis needs to be performed in isolated containerized environments that keep the infrastructure we use for scanning secure.

To pool our efforts, we are working with the Ecosystem Security Engineers from other languages and the Team at Alpha-Omega on shared tooling for this purpose. Specifically we're collaborating on Scrutineer. I want to give a special shout out to Alexandre Daubois from Les-Tilleuls.coop. His contributions to Scrutineer have been very valuable in enabling more people to effectively scan PHP projects.

Scrutineer enables more structured results and an easier reporting process. It also helps to let people with access to different, otherwise unavailable, AI models, or with access to more resource capacity, scan projects on our behalf. Using Scrutineer we can tailor the containers used for analysis towards the PHP ecosystem to improve the quality of scanning results through tooling to create and validate reproducers. The report quality would be drastically lower and require more clean-up work without effective automated feedback loops.

Helping projects with individual approaches

We help projects and maintainers digest reports, create reproducers, deduplicate security vulnerability findings, and suggest and validate fixes.

When I accepted my new role, I was unsure how many projects would reach out for help with these tasks. I've received feedback that the quality of reports maintainers are receiving has gone up significantly in the last couple of months. So I've not received many requests to assist with processing reports and proposed fixes. Many maintainers report that they use their own coding agents to validate and reproduce received security vulnerability findings effectively. But for some more complex issues, currently available AI models cannot help or refuse to help with working on an exploit for a potential vulnerability. In these cases, I can be of help.

Sometimes, the automated scanning doesn’t produce clear results or the threat modeling or attack vectors are not clear enough. In these cases, I spend time with each project to better understand what the AI models should be assessing and steer them in that direction.

A special mention here is the PHP project itself: Many people like to try their new security tools on PHP, due to its popularity. The inherent complexity of a programming language runtime results in significantly lower quality results from agentic security approaches. The reports the PHP project receives are harder to digest than they are in userland PHP libraries with a clearer threat model and attack surface.

I was not yet able to help PHP itself much so far, due to time constraints. I intend to work on core PHP a lot more in the coming months. The communication with the PHP core developer team is great and I’m eager to get properly started and see where I can help them.

Assembling a team

I was delighted to see that the PHP Foundation is launching Community Special Interest Groups. One of them is the Ecosystem Security Team, which the PHP Foundation wishes to sustain far beyond the 6 months of the initial grant funding, so I've begun to assemble a team around these security and maintainer support efforts.

If you want to reach out and talk with like-minded people about security, you can find a couple of us in the #ecosystem-security channel on the phpc Discord. The PHP Community Foundation was kind enough to create a channel for us and #the-php-foundation in general. I’m “@edorian” on there, if you want to say hi.

For sensitive topics, you can always get in touch with me directly.

Next to Alexandre, who I already mentioned above, a name I’ve come across a lot when talking to maintainers was Ilia Alshanetsky. Ilia has been doing a lot of independent work and I asked him to join the Ecosystem Security Team so we can better coordinate our efforts.

Looking ahead

The goals I set myself for the next month are:

• Scan another 250 projects and report all collected findings
• Perform a dedicated, deeper analysis of core projects and libraries
• Spend more time helping out with php-src and PHP Extensions issues

I will continue to be available to help any project maintainers who reach out.

Get in touch

To repeat what was already mentioned above: We have capacity to scan and help more maintainers.

Discord: #ecosystem-security on the #phpc community server (Invite)

Email: volker@thephp.foundation

As mentioned in our 2026 Strategy document, this group will be focused on improving the perception of PHP outside the PHP bubble. It will center on external advocacy and empowering the community to help tell the story of modern PHP in whatever capacity makes sense for them. Whether it be at a local open source group, inside a company, or at an open source conference, we want to provide PHP community members with the tools and resources they need to advocate on behalf of the PHP ecosystem.

The first meeting is 1 hour long and scheduled for Tuesday, June 30, 2026 at 10:30 am EDT / 2:30 pm UTC. This will be a kick-off session where we collaborate on the goals and objectives of the group and schedule a date/time for future meetings. If you would like to participate but you are unable to attend, that’s okay! (We know time zones are hard.) We will share post-meeting notes in a public repository within The PHP Foundation GitHub organization, along with ways in which you can contribute asynchronously.

If you would like to attend our kick-off meeting, you can fill out this form to register your interest. From there, we will send you meeting details. If you have already filled this out, you do not need to fill it out again. We will be contacting you shortly.

Please join us if you would like to help improve the perception of PHP!

There is one particularity in my developer experience: I'm totally blind from birth. So I use a screen reader, a tool that sends information to speech and/or a Braille display.

Of course, blind programmers are not a single organism with a shared configuration file. We use different tools and tolerance levels for punctuation spoken at 500 miles per hour. Still, PHP has many qualities that make it comfortable to read and write non-visually.

Syntax as landmarks

Accessibility in programming is often discussed through tools, and tools matter a lot; but the language itself matters too, because syntax is something we hear, search, remember, and sometimes read on a Braille display.

As we all know, every variable in PHP starts with $, and although this is often treated as one of those old PHP quirks people love to mention, for a screen reader user it is rather a practical landmark. I do not need to infer whether user is a variable, a constant, a class name, a function, or something else, because $user announces itself immediately. Without that marker, something like User user = new User() becomes, in speech, “user user equals new user left parenthesis right parenthesis”, or in my birdspeak, “user user equal new user left right”; this is understandable, yes, but it still requires a tiny effort to decrypt. A thousand tiny little efforts a day, actually.

Functions also have a clear marker: the function keyword, and arrow functions have fn. These words are searchable, predictable anchors in a file, especially because not every blind developer lives inside a large visual IDE. Many of us use code or even text editors, command-line tools and search where they work well, so if I want to jump through functions in a file, the word function is my friend.

PHP’s modern object-oriented syntax also has a pleasant rhythm:

public function getDisplayName(): string

Maybe because I come from a linguistics background, it matters to me that this is a good phrase to hear and read: it has full words, it has structure — visibility, function, name, parameter list, colon, return type. I do not want to start a language war — well, not today — but when code is read linearly through speech or Braille, explicit syntax can be more comfortable than compact syntax.

The same is true for braces and semicolons: a closing brace tells me that a block has ended, a semicolon tells me that a statement has ended, and both save me from reconstructing structure from indentation alone. Indentation is useful, of course, but braces act as milestones: block ended, period, go further.

Naming conventions matter too. In PHP, we commonly see camelCase, PascalCase, and UPPER_SNAKE_CASE. For me, camelCase is convenient because screen readers often separate the words naturally, while UPPER_SNAKE_CASE constants are noticeable, especially in Braille. The ordinary snake case is harder: if punctuation is enabled, — and it is while writing code! — my_very_descriptive_variable_name may become “my underscore very underscore descriptive underscore variable underscore name”. You can tune punctuation settings, and I have done it, but it still adds work.

PHP is not perfect; no language is. But accessibility is not only elegance: sometimes it is predictability, explicitness, and being able to search for function, hear a friendly $, distinguish a constant on a Braille display, and know that a block ended because there is a }.

What about learning?

The second part of the story is learning. The PHP language itself can be friendly to assistive technology, but programming education is much more uneven. Many tutorials today are video-first, visually dense, and full of phrases like “click here”, “as you can see”, or “now we get this result”. That is fine if the important information is also spoken or written, but it becomes a barrier when the tutorial depends on visual context that is never explained.

Here is a simple rule of thumb: close your eyes and try to understand what is happening in a course or conference talk. If you cannot, the blind part of your audience is immediately excluded. A blind learner cannot use “this button here” if “here” only means the instructor’s mouse pointer, cannot copy code from a screenshot, and cannot easily follow a refactoring if the teacher silently selects a block and says, “now we just fix it this way”.

And this is not only about blindness. Clear teaching helps everyone: beginners, people learning in a second language, people watching on a phone, and people returning to a tutorial six months later.

So here is my practical wish for people teaching PHP: provide the code as text, ideally in a Git repository. Say what file you are editing, say what function you are in, and do not rely only on “as you can see”. If something changes on screen, describe the change; if you show an error, read the important part of the error; if you use a diagram, briefly explain what it means. If you publish slides, make sure code examples are real text, and not just images, and consider publishing a transcript.

Good written material also matters. PHP has always had a strong culture of documentation and examples, and that is not just convenient; it is an accessibility feature.

Conclusion

Accessibility is essential for users, but developers need accessibility too. For me, part of PHP’s approachability is that the code gives me landmarks: it speaks in a structure I can follow, lets me search, and marks important parts in ways that are not only visual.

These are small things, but programming is made of small things repeated many times, and when those small things reduce friction, they let more people build.

In short, the community loves PHP and believes in the Foundation's role, but is asking us to be clearer, more visible, and more coordinated in addressing existing and future challenges. The 2026 strategy answers those concerns through four themes:

1. Repositioning PHP: close the gap between today's PHP and the outdated perception that still shapes hiring and tech-stack decisions.
2. Initiatives with Community as Partners: scale our impact through six Special Interest Groups that address documented gaps.
3. Visibility & Voice of the Foundation: consistently surface priorities, work, and impact to the community, sponsors, and the Board.
4. Language Stewardship: support the technical work that already happens around PHP core and the RFC process while staying clear about the Foundation's role as facilitator and resource, not the driver of decisions.

Through our 2025 work, and in addition to addressing community feedback, the Foundation set goals for 2026, which are also baked into this strategy.

By the end of 2026, success looks like: a regular communication cadence for increased transparency; six operational Special Interest Groups with active community engagement and clear goals; a more diversified sponsor base and a clear, repeatable story about modern PHP that the community can carry into rooms where decisions get made.

Strategic Themes for 2026

Four themes organize the 2026 plan. Each maps directly to a category of community feedback and 2026 goals. Together, they answer the dominant request from the listening tour: be more visible, more coordinated, and more clearly responsive to what the community has told us.

Theme 1: Repositioning PHP

The PHP that people remember is not the PHP that exists today. Closing that gap is a multi-year effort. 2026 lays the groundwork: a coordinated voice, better assets for advocacy, and new platforms to tell the story of PHP at scale.

Initiatives

• Foundation-hosted podcast. A Foundation-hosted series surfacing the companies and engineering teams running modern PHP at scale. The target audience is decision-makers and engineers outside the PHP bubble.
• PHP Ambassador Program. Brings together interested speakers; provides “State of Modern PHP” storytelling assets and CfP coordination that turn individual advocacy into a coordinated effort. More below.

Theme 2: Initiatives with Community as Partners

The Foundation has limited staff and limited budget, but the community has enormous capacity for making change. In 2026 we will create six structured Special Interest Groups that give community members multiple ways to contribute and focus their energy on the challenges that currently exist for the PHP ecosystem.

Initiatives

• Launch six Special Interest Groups. Build infrastructure to include interested community members in facing challenges across the ecosystem and from a variety of lenses. Details of these groups are below.

Theme 3: Visibility & Voice of the Foundation

The PHP Foundation and Board will regularly articulate what they are doing and why, and they will be consistently accessible and engaged with the PHP community.

Initiatives

• Communication plan. Build a quarterly reporting cadence with a focus on bugs and issues we are prioritizing; revive the newsletter; publish Board minutes in a public repository.
• Community engagement. Continue connection through community Discord channels; build a system to promote events where contractors and Board members will be; launch monthly Office Hours/Interviews with contractors/Board members.
• Website clarity. Publish a clear articulation of Foundation priorities, the distribution of work across contractors, and the Foundation's role relative to the language and the community.

Theme 4: Language Stewardship

This category contains the work the Foundation contributes to but does not own. The PHP codebase and the future of the language belong to the community. The Foundation's role is to support, facilitate, and convene, not to direct. In 2026, we will be explicit about that role and we will invest where the Foundation can meaningfully help.

Initiatives

• Contributor responsiveness and communication. Foundation contractors continue to lead in PR review and merge throughput; we will publish quarterly numbers so the community can see progress made by the team.
• PHP core documentation. Identify and fund a focused effort to refresh the internals book and contributor onboarding documentation, in coordination with internals maintainers. Create a more maintainable system for keeping documentation up to date, moving forward.
• PHP Security. The Alpha-Omega grant will position the Foundation at the center of a coordinated effort to improve security practices and procedures and fix security vulnerabilities across the PHP ecosystem.

Community Special Interest Groups

The PHP Foundation will launch six community special interest groups, with staggered launches from May through September. Each addresses one or more documented gaps from the listening tour, and each includes participation from the community, along with Foundation staff support. These are meant to be collaborative efforts with existing groups and individuals who have already spent time and energy addressing these topics.

At a Glance:

About the Special Interest Groups:

1. Ecosystem Security Team

Purpose: Improves security of the PHP ecosystem and helps maintainers as AI-assisted vulnerability research becomes more common. Proactively identifies vulnerabilities and triages vulnerability reports. Builds tooling to assess, classify, and address security issues. Assists maintainers in scanning projects and acts as a trusted resource to monitor and support them in critical scenarios. Note: The Team has already launched *. They have connected with 30 organizations and projects so far and performed over a thousand scans and affected changes in hundreds of repos. If you’re interested in a scan, or have questions for the team, get in touch!*

Success in 2026: Documentation for maintainers on available tooling, best practices and report triage; sustainability plan for continuing the work at the end of the grant; 1000+ projects scanned across the PHP ecosystem.

2. PHP Ambassador Program

Purpose: Advocacy for PHP outside the PHP ecosystem. Provides resources for people who want to give talks at open-source conferences and other open-source events; shares CfPs and maintains a calendar of conferences outside the PHP world; develops shared talk assets and messaging, including a maintained "State of Modern PHP" deck.

Success in 2026: at least 3 talks delivered by ambassadors at non-PHP open-source venues; a shared CfP calendar in active use; at least 10 participating community members; regular cadence of virtual gatherings of participants established.

3. PHP Onboarding Initiative

Purpose: Improves the experience of new users from first encounter through first deployment. Identifies setup pain points; coordinates education and learning resources; explores a structured mentorship program; documents a clear onboarding path that newcomers can follow; works with the php.net website team to improve documentation and experience.

Success in 2026: a published "getting started with PHP" path replacing the scattered resources currently in existence; a mentorship pilot with at least 5 mentor/mentee pairs; documented setup-time benchmarks against which 2027 progress can be measured; monthly virtual gatherings of participants established.

4. Cryptography Special Interest Group

Purpose: Provides a venue for Post-Quantum Cryptography discussions, and moves The PHP Foundation into a more active role in the PHP ecosystem's response; maps where cryptography exists across both PHP core and the wider ecosystem; tracks upstream developments in OpenSSL and libsodium; also provides a venue for related conversations and initiatives that may arise.

Success in 2026: a published "clear public readiness roadmap" that regulators, enterprise adopters, and the broader community can reference. Regular cadence of meetings is established.

5. Community Events Coalition

Purpose: Brings together user group leaders and conference organizers. Maintains a shared speaker pool; shares venue, sponsor, and operations resources; restores and maintains the PHP user group directory; helps promote new CfPs and new events; surfaces contribution opportunities for those looking to volunteer.

Success in 2026: the user group directory is current and active; at least one shared resource bundle (speaker pool, sponsor decks, venue tips) is in circulation; monthly virtual gatherings of organizers established.

6. PHP Accessibility & Inclusion Special Interest Group

Purpose: Works to make the language, its documentation, and its learning resources more accessible to a wider range of people across abilities, geographies, languages, and career stages. Supports community leaders and maintainers in building healthy, inclusive communities, including helping draft codes of conduct, and providing peer support for CoC report responses.

This group intentionally launches later, after the Foundation has demonstrated it can successfully implement and facilitate community-based Special Interest Groups. Sequencing should not be read as deprioritization: an interim advisory group will be convened in July-August to prepare the SIG’s goals and ensure that inclusion principles are baked into the charters of the earlier-launching groups.

Success in 2026: SIG is operational with an active roster and well-articulated goals; a shared code-of-conduct template and response plan for projects to use; an accessibility audit of the primary PHP web properties planned for implementation in 2027.

Fundraising & Sustainability

Fundraising is the single most consequential operational priority in 2026. The 2025 reserve drawdown is sustainable for now, but a multi-year drawdown would erode the Foundation's ability to maintain technical headcount. So although this was a measured and deliberate strategy, we are actively working to minimize the drawdown in 2026.

2026 Priorities

• Sponsor research. Structured conversations with current and prospective sponsors in or before Q3 to understand what they value, what benefits would matter, and where the Foundation's value proposition is unclear.
• Refreshed tiers and benefits, if needed. New or revised sponsorship tiers informed by the research, with clearer benefits and clearer reporting back to sponsors.
• Fundraising Initiative. A fundraising initiative that is already in discussion will be launched. Target net contribution: $40,000.
• Cross-ecosystem fundraising conversation. Active presence in the conversations that other foundations and policy bodies are having about open-source funding sustainability. PHP is not the only ecosystem facing harder fundraising; visibility in that conversation builds relationships and protects the Foundation's position.
• Advisory Board engagement. Quarterly Advisory Board meetings, increased activity in internal channels, stronger collaboration on perception of PHP, storytelling, and technical strategy.

2026 Financial Targets

• Total raised irrespective of grants: $700,000+ (versus $625,000 in 2025)
• Open Collective active contributors: 600+ (versus 536 in 2025)
• Top-10 sponsor concentration: reduced from ~51% to <45% of revenue
• At least 15 new Silver or higher level sponsors
• Reserve drawdown halted or materially reduced by Q1 2027
• Grant applications for 2027 where applicable

2026 Timeline for Implementation

The timeline below includes high-level initiatives, but it should be noted that there will be many other smaller efforts along the way, driven by standard Foundation operations, individual goals of the community groups, and unforeseen developments and opportunities that emerge throughout the year. This is not a comprehensive list of everything the Foundation will do in 2026.

Q2 2026

Q3 2026

Q4 2026

Risks & Mitigations

Ongoing Operations

Alongside the strategic initiatives above, the Foundation maintains an annual operating rhythm. These activities are not part of the 2026 strategic story but are essential to the Foundation's stability and to the community's experience of working with us.

• Contractor applications and renewals. Annual review of existing contracts and evaluation of new applications. The 2026 round will be informed by the results of our findings— particularly contributor responsiveness, internals documentation, and ecosystem technical leadership. Renewal decisions intersect directly with the 2026 fundraising targets and the reserve picture, so this cycle is tracked alongside the financial plan.
• Community survey partnership. The Foundation continues to partner on the running of community surveys. These provide quantitative signals that complement the qualitative listening tour and give us year-over-year measurement of the community's experience. Findings inform both the next year's strategy and public reporting.
• End-of-year fundraising drive. The annual November/December campaign anchors the Open Collective contributor count and is the moment when the broadest swath of the community contributes. The 2026 campaign will lean into the year's narrative— listening tour, Special Interest Groups, and technical impact— to make the case for the Foundation as clearly as possible. There is also a potential to tap into the 5th anniversary of the Foundation itself.
• Board minutes publication. Board minutes are published on an ongoing basis as part of the Foundation's governance transparency. This practice continues in 2026 alongside the broader push to make Foundation operations more legible to the community.
• Monthly expense and contribution tracking. Monthly tracking and reporting of expenses and Open Collective contributions provides the public financial baseline.

Gathering More Data

It should be noted that these strategies and ideas are based on the initial findings, and it would be wise to gather even more data that will inform future decisions and plans. We have recently launched a State of PHP Survey in partnership with PhpStorm from JetBrains, and will be releasing the results later in the year. We will also be open to coordinating future surveys and means of data collection.

Getting Involved

If you're interested in joining or learning more about a Special Interest Group, the best place to start is by letting us know through this general interest form. We'll also be sharing more details about each group through our newsletter and social media accounts as they launch.

We also want to encourage you to complete the survey as it will be helpful for the entire community to have more insight into how PHP is being used. Please go take the State of PHP Survey.

Lastly, as you know, none of this work is possible without the financial generosity of our community. We are incredibly grateful for all our individual and organizational supporters. If you would like to support The PHP Foundation's mission, please see our Open Collectives:

• To donate in USD: https://opencollective.com/phpfoundation
• To donate in EUR: https://opencollective.com/php-foundation-eur

Whether you're an individual developer, a company that runs PHP, a community organizer, or other type of PHP community member, we would love to include you on this journey. PHP thrives when we all take part!

This survey is an effort to build a clearer picture of how PHP is used today: who is using it, which tools and frameworks developers rely on, what challenges they face, how they feel about the language, and where they see PHP going next.

We invite everyone who works with PHP to participate.

Why we're launching the State of PHP survey

PHP has been around for more than 30 years, and it continues to evolve alongside the people and organizations that depend on it. The ecosystem is broad: developers use PHP across many countries, industries, experience levels, frameworks, deployment environments, and workflows. To support PHP effectively, we need better insight into that ecosystem. The goal is to gather representative input from PHP developers of all backgrounds. Whether you have been writing PHP for decades or only recently started, your perspective is invaluable.

What happens with the results

The aggregated results will be published in the State of PHP 2026 report later this year, which will be announced in The PHP Foundation and PhpStorm’s social media channels and newsletters.

The report will help the community better understand current PHP usage and trends. It will also provide useful insight for contributors, maintainers, tool authors, educators, companies, and everyone working to strengthen PHP and its ecosystem.

Take the survey

We encourage all PHP developers to take part and to share the survey with colleagues and local PHP communities.

Take the Survey

The more developers participate, the more useful and representative the final report will be.

Thank you for helping us map the PHP ecosystem and for being part of the first State of PHP survey.

-- The PHP Foundation and PhpStorm teams

Elizabeth Barron, The PHP Foundation’s Executive Director, is joining the lineup of JetBrains PHPverse 2026 speakers with a keynote talk “Getting to Know The PHP Foundation”. Tune in on June 9 to learn what The PHP Foundation actually does, which initiatives are planned for the rest of 2026, and how the community can help support the PHP ecosystem.

About JetBrains PHPverse

JetBrains PHPverse is a free online conference and community event bringing together the big and vibrant PHP herd. It was first held in 2025, reaching out to more than 55,000 developers worldwide.

Besides The PHP Foundation’s keynote, expect a curated lineup of talks from some of the most influential voices in the PHP ecosystem, covering the major PHP frameworks, tools, and shipping PHP code with AI:

• Fabien Potencier, Founder of Symfony
• Jeffrey Way, Founder of Laracasts
• Larry Garfield, Functional Programming Enthusiast
• Jonathan Bossenger, Developer Advocate at Automattic
• Nils Adermann, Co-Founder of Packagist
• Ashley Hindle, Founder and CEO of Fuel

The conversations and deep dives are hosted by Nuno Maduro, creator of Pest, Larastan, and Laravel Pint, and Brent Roose, Developer Advocate for PHP at JetBrains.

Join the conversation

For The PHP Foundation, JetBrains PHPverse is not just a talking stage, but a chance to engage in a conversation with thousands of engineers who use PHP every day.

We invite every member of the PHP community to join us for this day of learning and connection. Whether you’re interested in the latest RFCs, projects supported by the Foundation, or what’s next for tools you are using, there is something at PHPverse for everyone.

Register for JetBrains PHPverse 2026

We also encourage you to join the official Discord server to ask questions and engage with the speakers and fellow developers.

Looking forward to seeing you on June 9!

PHP turned 30 in 2025. With The PHP Foundation's support, the PHP project marked the year by shipping PHP 8.5. The PHP Foundation also launched PIE 1.0, initiated a project to modernize PHP's stream layer, and authored roughly 42% of all commits to PHP's core. This work was supported by 536 sponsors and individual contributors, and it could not have happened without them.

At the end of 2025, The PHP Foundation consisted of 8 volunteer board members, an Executive Director sponsored by JetBrains, and 11 contracted developers who worked part- and full-time to strengthen and improve the core PHP language through bug and security fixes, feature development, and contributing to the RFC process through discussion and development of new RFCs.

The total contributions received from sponsors and individual donors was $730,534, which enabled The PHP Foundation to advance its mission in a meaningful way.

About the PHP Foundation

The PHP Foundation's main focus is to ensure the sustainability and long term viability of the PHP language. Our priorities continue to be:

• Improving the language for users
• Providing high-quality maintenance
• Improving the project to retain current contributors and integrate new ones
• Promoting the public image of PHP

It should be noted that The PHP Foundation does not control the decisions made by the PHP community regarding the language, nor does it assume any governance over the language itself. PHP has always been, and will continue to be a community-owned Open Source project.

What we shipped in 2025

Leadership at The PHP Foundation coordinated several high-level initiatives, including:

• The completion of a Security Audit by Open Source Technology Improvement Fund (OSTIF), funded by the Sovereign Tech Agency through the Sovereign Tech Fund (STF), and sustained security advisory work across the team
• The addition of FrankenPHP to the PHP GitHub organization, in collaboration with Les-Tilleuls.coop
• The development of the official PHP SDK for MCP, in collaboration with the Symfony Team and Anthropic

In addition, in 2025, eleven Foundation-funded contractors collectively logged thousands of hours advancing PHP's language, runtime, security posture, ecosystem tooling, and community reach.

Key achievements included:

• Successful delivery of PHP 8.5
• Launch of PIE 1.0 and initiation of the formal PECL deprecation process
• Launch of the STF Streams modernization project
• PHP Foundation representation at the Open Regulatory Compliance Working Group on the EU Cyber Resilience Act

The PHP Foundation Staff

Our 2025 team was stable and productive, and worked very well together. We ended 2025 by adding one more contractor to the team in H2: Joe Watkins.

Therefore, as of January 1, 2026, 11 Foundation developers work on PHP:

• Arnaud Le Blanc @arnaud-lb
• David Carlier @devnexen
• Derick Rethans @derickr
• Gina P. Banyard @Girgias
• Ilija Tovilo @iluuu1994
• Jakub Zelenka @bukka
• James Titcumb @asgrim
• Joe Watkins @krakjoe
• Máté Kocsis @kocsismate
• Saki Takamachi @SakiTakamachi
• Shivam Mathur @shivammathur

Team Achievements

We acknowledge the limitations in providing any metrics; very rarely do metrics accurately represent the full scenario (for instance, a 1-line commit and a 100-line commit are counted equally in the overall number of commits). Additionally, some metrics are more difficult to capture than others. Therefore, we offer this set of obtainable metrics to collectively demonstrate the team's impact. To clarify the data points above:

• PRs merged = PRs that were authored by a contractor that were merged by anyone
• Community PR Reviews = PRs from other people that were reviewed/commented on by contractors
• % of Bug Fixes = the percent of all bug fix PRs that were authored by a contractor but merged by anyone in the community. PRs were considered “fixes” if they included the words “fix,” “resolve,” or “bug” in the title of the PR

Language & runtime

• URL/URI parsing RFC (Máté Kocsis) passed in May, representing PHP's most significant standard-library addition in years, including upstream contributions to the uriparser C library.
• Gina P. Banyard drove the entire PHP 8.5 deprecations and warnings RFC to php-src and authored 173 merged PRs (roughly 16% of all merged PRs to php-src in 2025).
• Arnaud Le Blanc's Tail Call VM technique merged in August, removing PHP's dependency on a single compiler for peak performance; he also co-developed Partial Function Applications v2 and Context Managers with Larry Garfield.
• Ilija Tovilo was the team's leading committer to php-src (565 commits) and advanced the Pattern Matching RFC alongside deep performance work on zend_op size and TMP|VAR consolidation.
• Saki Takamachi delivered BCMath optimizations and created xsse, a portable SIMD abstraction library already in use in php-src.
• Jakub Zelenka progressed with implementation of JsonSchema support for the JSON extension.

Security

Jakub Zelenka led sustained multi-month investigations on multiple security advisories, which included the handling of PHP security releases. Jakub also represented the PHP Foundation in the Open Regulatory Compliance Working Group shaping EU Cyber Resilience Act compliance. David Carlier delivered a steady stream of overflow, double-free, and memory leak fixes across GD, ZIP, intl, PDO_SQLite, sodium, and Fiber, upstreaming several directly to libgd. Shivam Mathur is responsible for security upgrades to Windows PHP builds addressing 50+ CVEs/security issues, and continues to support builds for 100+ extensions for Windows. Derick Rethans patched an XSS in php.net and ran an emergency CVE response for the rsync server.

Streams modernization (Sovereign Tech Fund)

The STF underwrote a 530-hour modernization of PHP's stream layer, delivering a new Polling API, TLS 1.3 improvements with session resumption (PSK, tickets, early data), redesigned stream error handling, an io_uring/IOCP abstraction, modernized copy infrastructure (copy_file_range, splice, sendfile), filter seeking improvements, and socket option enhancements. This is an ongoing project and will see more progress in 2026.

Ecosystem & infrastructure

The PHP Foundation has demonstrated meaningful contributions in several areas:

• PIE (the new PHP extension installer): James Titcumb authored 482 of 537 commits to php/pie (roughly 90% of the codebase) and 109 of 156 merged PRs. He shipped 14 PIE releases including 1.0 in June, formally initiated PECL's deprecation, and delivered five conference talks evangelizing the project.
• Windows infrastructure: Shivam Mathur authored 95% of commits to php/php-windows-builder and 98% of commits to php/web-downloads. Without his work, PHP would have no Windows distribution maintainer.
• French documentation: 38% of commits and 47% of merged PRs to php/doc-fr in 2025 came from David Carlier, a community-facing impact that is often invisible in English-language reporting but reaches Francophone PHP developers worldwide.
• Infrastructure: Derick Rethans migrated nearly every php.net property (wiki, downloads, qa, pecl, bugs, docs, www, and more) to modern Ansible-managed infrastructure, expanded WebAssembly support for interactive examples in the manual, and contributed alongside Shivam and Roman on the redesigned downloads page. Máté Kocsis and Ilija built statistical benchmarking infrastructure (Welch T-Test, Wilcoxon, Valgrind, variance reduction) underpinning the team's performance work.

Strategic R&D

Joe Watkins joined in H2 and published ORT, a PHP tensor library with backends for SSE2/SSE4.1/AVX2/AVX512, NEON, CUDA, RISC-V64, and WebAssembly (including a custom IEEE 754-2008 float16 implementation in C) reaching 97% test coverage and positioning PHP to participate in AI/ML workloads. Arnaud explored generational and Boehm GC, plus Modules and Snapshots PoCs.

Maintenance & stewardship

Beyond headline projects, the team spent a large percentage of their time carrying PHP's day-to-day weight: continuous bug triage (Ilija's largest recurring line item every month), monthly release management across 8.3.x and 8.4.x, cross-platform fixes spanning Windows, macOS, FreeBSD, Solaris, and Haiku, French (David) and Japanese (Saki) documentation contributions, mailing list moderation, and dozens of code reviews monthly across virtually every PHP subsystem. Additionally, the team spent time on maintenance and stable releases of external extensions including imagick and GnuPG, and tools like PHP-FPM that are part of PHP core.

RFCs

The following list covers RFCs authored or co-authored by PHP Foundation contractors in 2025, along with their RFCs that changed status in 2025.

*This person was not a contractor for The PHP Foundation at time of authorship, but is acknowledged here for their contribution to the RFC

The PHP Foundation Sponsors

Our sponsors and individual contributors are the lifeblood of The PHP Foundation, for without their continued support, we would not be able to continue making meaningful contributions and improvements to the PHP language.

Our highest level sponsors for 2025 were Sovereign Tech Agency, JetBrains, Automattic, GoDaddy.com, Passbolt, Sentry, Les-Tilleuls.coop, Craft CMS, Private Packagist, Cybozu, Tideways, Manychat, Zend by Perforce, CH Studio, and Aternos GmbH.

Overall, 536 organizations and individuals sponsored The PHP Foundation in 2025, which is substantially less than the previous year. This is an indication of an increasingly challenging fundraising space in the open source ecosystem, a reality our peers at other Foundations and Open Source projects are also navigating.

We are incredibly grateful for all those who have financially supported and continue to support The PHP Foundation.

The PHP Foundation Financial Report

In 2025, The PHP Foundation was financially backed by organizations and individuals with the goal of paying a competitive salary to as many core developers as possible. These numbers represent figures in USD.

*Fees include a 10% Open Source Collective fiscal host fee (dealing with contracts, expense reviews and payments, bank account management, official registrations and dealing with government requirements, open collective platform development etc), and 1-5% percent of payment processing fees, depending on the payment method used.

**Starting in 2025, some funds were donated and paid in Euro; please allow for small rounding variance due to conversion rates.

All incoming and outgoing transactions of The PHP Foundation are publicly available to view for anyone: https://opencollective.com/phpfoundation#category-BUDGET

The PHP Foundation Brand & Public Channels

The PHP Foundation represents a community of core PHP developers and advocates for the PHP programming language. The PHP Foundation used the channels listed below for public communication:

• 24.8K LinkedIn page followers: https://www.linkedin.com/company/phpfoundation
• 13.7K X followers: https://x.com/thephpf
• 1.2K Mastodon followers: https://phpc.social/@thephpf
• 1.2K Bluesky followers: https://bsky.app/profile/thephpf.bsky.social
• 3390 Subscribers to The PHP Foundation Newsletter

We will continue to grow our social media presence as a means of connecting with the broader PHP community.

Looking Back: Goals for 2025

In the previous report, we outlined a few organizational and technical goals. Let's take a look at how we did.

Organization Goals

• Secure funding to support core development and marketing initiatives. ✅

  The PHP Foundation received funds as noted above to continue our focus on core development and the marketing of PHP and The PHP Foundation.

• Launch the "PHP 30" anniversary campaign in collaboration with JetBrains. ✅

  The PHP Foundation celebrated 30 years of PHP at the PHPverse conference hosted by JetBrains.

• Consolidate and grow social media presence across multiple platforms. ✅

  The reach and engagement for our social media accounts grew in every platform.

• Increase website traffic through improved documentation and resources. ❓

  We only added tracking to the php.net website toward the end of 2024, so we did not have a baseline for comparison. This is something we can measure moving forward.

• Develop an Ambassador Program. ❌

  This was discussed, but not launched. Look for a version of this in 2026.

• Begin preparation for the "PHP Next" marketing campaign to highlight PHP's modernization. ❌

  This was discussed, but not launched. Look for a version of this in 2026.

• Modernize PHP's website with updated downloads page, documentation, and homepage. ⚠️ Partial

  This was partially completed and included a redesigned page for the 8.5 release and a clearer and more functional Downloads page. There is still work to be done on the homepage and in the documentation.

Technical Goals

• Continue on-going maintenance and development of the PHP core. ✅

  As demonstrated in this report, our contractors continue to focus on improving the PHP core.

• Establish a working group for integrating modern HTTP server capabilities into PHP core. ✅

  Instead, the PHP project incorporated the FrankenPHP project into its GitHub organization, offering a modern solution to running PHP in an HTTP server. This change was initiated by engineers at Les-Tilleuls.coop, and implemented in partnership with the PHP Foundation.

• Address key developer experience pain points, particularly for first-time users. ⚠️ Partial

  This was partially completed with the improvements on the Downloads page, but there is still much work and research to be done here.

Looking Ahead: Goals for 2026

2026 brings its own challenges but we are committed to continuing to make a measurable difference in the PHP language and ecosystem.

Organization Goals

• Complete the executive transition initiated in Q4 2025
• Complete the onboarding of a Director of Fundraising
• Expand support for the PHP Ecosystem
• Improve Foundation communication, transparency, and internal documentation
• Build a plan to improve public perception of PHP
• Balance spending with funding and creating a systematic approach to fundraising

Technical Goals

• Create Cryptography working group
• Explore support for continued security-focused work

Budget plan for 2026

Total expenses exceeded total received donations by approximately $139,000 in 2025, which was a deliberate choice to maintain investment in technical headcount while we strengthen relationships with sponsors and individual contributors. The PHP Foundation remains financially solvent with healthy reserves, and reducing this gap is a 2026 priority.

We will also continue to utilize Open Collective as our fiscal host, as they provide transparency and a suite of valuable financial services for The PHP Foundation.

Outro

The work in this report is the runway for what's next. We head into 2026 with real momentum and a clear sense of what the community has asked of us. None of the technical leadership, the security work, the new partnerships ahead, and the support for the PHP ecosystem happens without the people who fund us. With your help, together we can keep PHP thriving in a changing open source world.

In March, the Linux Foundation announced a grant with the goal of strengthening the security of the open source software ecosystem. This funding is managed by Alpha-Omega and the Open Source Security Foundation (OpenSSF).

We're delighted to announce the PHP Foundation has been awarded a grant from Alpha-Omega to help improve the security of the PHP open source ecosystem.

PHP is foundational to the modern web, and ensuring its security is essential for a significant portion of the web's functionality and integrity.

New security tools making use of AI are accelerating the discovery of vulnerabilities in open source software. Initiatives like Project Glasswing are attempting to prepare software for the increasing accessibility of such tooling to bad actors. A number of large PHP projects have already received and acted on credible audit reports and concrete issues found by these new tools.

At the same time, many projects have been reporting a drastic increase in the volume of vulnerability reports they have to deal with, many bearing the hallmarks of lazy AI generation. These low-quality reports waste maintainers' time and overshadow legitimate issues.

The PHP Foundation is creating a PHP Ecosystem Security Team to help our ecosystem maintainers with these new challenges. This new PHP Foundation team will help triage vulnerability reports and disclose them responsibly as necessary. It will work on tooling to discover, classify and remediate security vulnerabilities and share emerging techniques on using them effectively and help the PHP ecosystem adopt these tools. The team will respect maintainer bandwidth, provide high-quality reports, coordinate project access to new security tooling, support projects with only a few maintainers, and find solutions for projects with no active maintainers at all.

We're excited our friends at the Drupal Association were awarded a similar grant from Alpha-Omega to secure the Drupal ecosystem built on top of PHP. The PHP Foundation is looking forward to collaborating with the Drupal Security Team on shared approaches and we hope to be joined by more experts from individual PHP projects and subcommunities as we build out the new team.

The PHP Foundation grant will fund a six-month full-time position titled "Ecosystem AI Security Engineer in Residence at the PHP Foundation" to lead this effort and to prepare a sustainability plan for the time after this initial phase. This person will act as a trusted intermediary between security researchers and maintainers in urgent, high-risk situations, and will collaborate with peers in similar roles across other language ecosystems. Additionally, grant funding will also be employed toward the team goals described above where they cannot be accomplished by the single paid lead position or with the help of PHP community volunteers.

After many conversations with community leaders in the PHP ecosystem, known security experts and Foundation stakeholders, the PHP Foundation board voted unanimously to offer the position to Volker Dusch (@edorian). We asked Volker to introduce himself.

Meet Volker

👋,

Some of you may know me as one of the PHP 8.5 Release Managers, or might have met me at one of more than 100 PHP-related conferences I've visited or spoken at in the last 20 years.

PHP has been the main programming language of my professional career, from helping maintain PHPUnit for a couple of years and more recently, working on various language RFCs.

In the past, I've worked on a high-traffic social networking site, remote monitoring of solar plants and software for medical trials. Currently, I'm working on PHP performance and monitoring tooling at Tideways, which I'm grateful to for allowing me to take some time off to focus on this new challenge.

Interested in hearing from me? Got feedback?

My goal is to be open and communicate early about how the Ecosystem Security Team is taking shape while making the most of the resources we have.

Big projects and foundational libraries are on my radar for security analysis already, and I'm especially keen to hear from people who want to actively collaborate and have the bandwidth to do so.

So if you want to put your project forward or have questions or comments for me, I'd love to hear from you!

Get in touch via email: volker@thephp.foundation.

You can also find me on Mastodon and LinkedIn.

Our goal is to capture perspectives from across the PHP community – we want as many voices as possible to be included. To make that happen, we’re starting by collecting suggestions for survey questions.

This week, you can submit your proposed questions and upvote others through a dedicated form. We’ll review all submissions and select the most interesting ones to include in the survey, which will launch in June. If you have an idea for a question, you can submit your question here.

The submissions are open until April 28, 2026. We look forward to hearing from you!