Community Events Insights

Key Takeaways From PHPverse 2026

On June 9, PHPverse 2026 brought together PHP developers from different backgrounds to watch talks by domain experts, exchange opinions, and even try to catch a running elePHPant. The five-hour live stream has been viewed 15,000 times in total and received 10,206 live chat comments, with over 2,600 people watching concurrently at peak hours. 

Our goal was to give a stage to voices from different parts of the PHP ecosystem. And despite the diversity of perspectives, the main challenges and action points across the talks were the same: living with AI agents, countering new security threats, encouraging contributions and community involvement, and building on the foundation of modern PHP.

Below is a quick recap of the talks and key insights.

Fabien Potencier on maintaining the Symfony project 

As someone who has been maintaining Symfony’s open-source GitHub project of over 320 “subtree split” repositories for the last 20 years, Fabien attributes its longevity to a handful of deliberate choices: a stable core team of maintainers, staying opinionated, strict predictability, and non-negotiable backward compatibility. Together with the long-established practices, agents and LLMs are introducing new trends to OSS project maintenance too.

From human with scripts to human with agent skills.

Fabien shared how he uses his own AI agent (written in PHP!) with continuously refined agent skills to further automate the handling of pull requests, Git conflict resolution, and release delivery.

A good GitHub issue is a good prompt. We don’t need the pull request anymore.

Fabien also brought up how AI is shifting the notion of a good open-source contribution, from a PR with ready-made fixes toward a detailed, reproducible issue with clear context, the steps to reproduce it, and discussion threads. If the ticket is thorough enough, it is basically a well-formed prompt. The agent can take it and generate the fix itself.

We are using Terraform in an interesting way: We are not managing servers. This is all about ensuring consistency across all GitHub repositories.

Symfony’s use of Terraform deserves special attention. With Terraform, Symfony treats the monorepos as the single source of truth and keeps the descriptions, tags, and team permissions of its over 320 GitHub repositories consistent.

Watch the full talk:

Ashley Hindle on infrastructure for shipping agent-generated code

After more than 20 years of writing PHP and over half a trillion tokens spent across every major AI provider, Ashley Hindle now has agents writing roughly 99% of his code. In his talk, he argued that AI can now reliably produce production-ready PHP, but that capability only shows up if you do the work to make your systems “agent-ready”.

The gap between what agents can produce and what you actually get is the developer’s new job to close.

Ashley framed agent readiness as a set of pillars resting on the foundation of reproducible, parallelizable development environments that have everything the agent needs.

Another major consideration, in his experience, is ensuring a fast feedback loop for agents through enforced quality gates. Those comprise three tiers of checks: pre-commit checks on changed files only, pre-push checks on the whole codebase, and an agent-coordinated full quality gate running smoke tests and headless browser tests.

Your AGENTS.md guidelines file should have pointers to rules and references, but the fixing and enforcement should be automated with traditional tooling.

Crucially, rules should live in tooling (Rector, PHPStan, Laravel Pint, Pest), not in a bloated instructions file, and the agents should come into play only after programmatic automatic fixes have been run.

The guidelines file for Ashley’s current project is just 124 lines. It opens with the project’s goal and references “golden examples” of a test or a feature. He supplements this with skills (his favorites being Antropic’s front-end design skill, as well as skills for SVG animations, browser automation, and releases), along with cloned documentation repos as references. 

As for the prompt, Ashley recommends starting your work in Plan mode and having the agent interview you about what you want to achieve. He also recommends making sure to always tag the relevant files.

Watch the full talk:

Jonathan Bossenger on present-day WordPress

My goal today is not to ask you to always consider WordPress. I believe in the right tool for the job. But don’t overlook it due to possibly outdated beliefs.

In his talk, Jonathan Bossenger busts the 10 most common myths about WordPress. Starting with the misconception that modern WordPress is an outdated codebase with poor usage of the OOP principles, he highlighted that the project now recommends PHP 8.3 for new installs, and the Gutenberg editor and newer core code (like Interactivity API, AI client, and the MCP adapter) make extensive use of modern PHP practices, including type declarations, namespaces, and stricter patterns. 

Block editor has also evolved. Block themes now use WordPress’s own declarative templating language, replacing the old PHP tags-littered templates.

WordPress 6.9 had a 2.8 to 5.8 speed gain over WordPress 6.8, and every release continues to speed up like that.

Jonathan also tackled the performance stigma. WordPress now has a dedicated team maintaining a performance lab plugin, delivering steady, measurable gains release over release in contrast to the sluggishness of years past.

Other misconceptions about WordPress that Jonathan thoroughly cleared up include the beliefs that it has a heavy reliance on global state, overreliance on plugins to support custom fields, incongruent paradigms, security vulnerabilities, and lack of proper dependency management, as well as usage of WP_Error instead of exceptions. 

Watch the full talk:

Nils Adermann on the security of Composer dependencies in 2026

Two recent security incidents – a compromised Intercom PHP SDK and an attack on the Laravel-Lang project – showed that the threat models for developers have changed and PHP packages are now a direct target.

One compromised GitHub account, or one poorly secured GitHub Action, is now enough to hit a widely used PHP package.

In his talk, Nils Adermann, co-creator of Composer and Packagist, thoroughly walked us through what Composer and Packagist already protect against, what shipped recently, and what’s coming next.

We’re trying to now focus a bit more on prevention rather than just reaction.

Among the security measures that have already shipped, Nils mentioned an Aikido Malware feed ingested into Packagist, static analysis of GitHub Actions via zizmor, immutable stable versions, a dependency-policy framework, and the deprecation of the source-fallback mechanism that could circumvent malware blocks.

Besides that, a number of measures are still on their way. Those include a minimum release-age “cooldown”, organizational package ownership, staged release publishing with multi-factor authentication (MFA) approvals, client-side provenance policies, and many more.

Watch the full talk:

Jeffrey Way on how AI is changing the programmer world

What does AI actually mean for web developers? Depending on which social media thread you are currently reading, you are about to be either unstoppable or unemployed. In his talk, Jeffrey Way covered three worries, three wins, and three realities he thinks we, as software developers, have to contend with nowadays. 

Are we all months away from losing our jobs? That’s the big question. The answer is maybe. But almost certainly not. Surely not.

The wins center around ambition and enjoyment. AI allows you to build the things you’d never have made time for, build the things you weren’t capable of, and eliminate the work you’ve always hated.

Jeffrey also called for rethinking our current principles and systems – for example, what a commit or a six-week sprint means now, or whether human-optimized best practices still hold – and suggested viewing reusable skills as “almost like Wikipedia for programming best practices”.

Watch the full talk:

Mike Herchel on modern Drupal

Longtime Drupal core contributor Mike Herchel challenged misconceptions about Drupal and showed how much both Drupal CMS and the Drupal Core framework have changed. 

Under the hood, modern PHP is making Drupal faster. Since adopting object-oriented PHP and Symfony components around 2015, Drupal has leaned on Composer, dependency injection, PHP fibers, and what Mike called the best caching system he’s ever seen. A recent release cut database queries by up to 33%, and HTMX is replacing the legacy jQuery Ajax system.

It’s built for agents.

Finally, Mike noted how much Drupal’s architecture is AI-ready. Its strict, object-oriented APIs and structured content give agents the unambiguous feedback they need. Drupal’s AI initiative provides base modules for secure provider connections, as well as over 20 bolt-on modules, and agents can now generate JSX code components, Tailwind classes, CSS, and even ECA workflows.

Watch the full talk:

Larry Garfield on the internals of the PHP RFC process

Larry Garfield’s talk was about the machinery behind new PHP language releases – and how anyone using PHP can get involved. Larry explained the mailing list, what makes good language features, the RFC lifecycle, and the voting system, making the case that contributing to a language that “runs the internet” means helping millions of developers. 

You do not need to have ever looked at a line of C code to be able to get involved in the discussion and say, “I would totally use this” – or “I will never use this”.

In addition to becoming RFC authors, Larry encouraged everyone who uses PHP to get involved in the discussions around submitted RFCs, provide feedback, and help shape what makes it to the voting stage.

The conversation also touched on RFCs that have already become PHP features. Larry’s own pick for the best PHP feature of the last decade is constructor property promotion. Looking ahead, he’d welcome generics, but argues that, from an ecosystem perspective, FrankenPHP is “the most important thing happening right now”. 

Watch the full talk:

Elizabeth Barron on The PHP Foundation

Elizabeth Barron, the new executive director of The PHP Foundation, shed light on why this organization exists. The goal is to keep PHP sustainable and viable for the long term, funding people to work on the language while explicitly keeping out of its governance.

For 2026, the plan is to show up more and build with the community through a series of special interest groups: an ecosystem security team, a PHP ambassador program, an onboarding initiative, a cryptography SIG, a community events coalition, and an accessibility and inclusion group.

Elizabeth also focused on changing the perception of modern PHP:

Am I worried about PHP? Not at all. And there are two reasons for that: the community and the language itself. It’s great, it’s stable, it does exactly what you want it to do. The language is not the problem – that’s the perception. So that’s an absolutely solvable problem – just telling stories and changing perception.

When asked how the foundation would spend a hypothetical sponsorship of 100 million dollars, Elizabeth’s immediate answer was: on the backlog of open issues and PRs in the PHP source.

Getting rid of the technical debt would make things so much easier to move forward. I think one of the reasons it takes a while for things to get merged is that the process is not easy. Tweaking our processes, cleaning stuff up – all of that takes time and money and energy to do, and there’s so many other fun things to work on.

Watch the full talk:

Don’t miss next year’s PHPverse

We are looking forward to seeing you at PHPverse next year. Subscribe to the email list to be among the first to get notified about the date and lineup for next year’s event.

Want to come as a speaker? Submit your talk proposal here.

And don’t forget to follow PhpStorm on X for all the latest news.

Discover more