I built a modern PHP code obfuscator

Four months ago, I had a problem I didn’t expect to have.

My release pipeline was failing because the official repository of YakPro Obfuscator was simply… gone.

Deleted.

I made quite a bit research for a simple yet effective PHP obfuscator, but there wasn’t anything…

I don’t want to rely on Ioncube because not every hosting provider enables that extension and it’s a risk for commercial products.

Also, I didn’t want to go extreme on the obfuscation / encryption path. I just need a bit of hardening. The clients who are willing to pay and get updates will be enough for me. The occasional ‘pirated’ versions of my apps shouldn’t be a big risk to my business.

So, I decided to build an obfuscator of my own, being inspired by what was available out there, and make it even better since we now have the power of AI. So I built iserter/php-obfuscator. It had some bugs here and there along the way, but eventually it became a pretty reliable version.

I have been using it to obfuscate five WordPress plugins for the past 4 months, and I’m pretty happy with it. So I think it’s time for me to share it with the world.


Built for modern PHP

One of my goals from day one was simple:

If PHP introduces new language features, the obfuscator should support them.

Not six years later.

Today the project supports modern PHP syntax instead of assuming every codebase looks like legacy PHP 5.x. It is actively maintained and designed around current PHP development practices rather than historical compatibility alone.


Open source because everyone needed a replacement

After YakPro’s repository disappeared, I wasn’t the only developer looking for an alternative.

The PHP ecosystem needed a maintained, modern replacement.

So instead of keeping my internal tool private, I published it.

MIT licensed. Free. No artificial limitations. No commercial edition. No license server. Use it. Improve it. Report bugs.


Obfuscation is not complete security. And that’s okay.

Let’s get this out of the way.

No PHP obfuscator can magically “encrypt” your source code.

That’s impossible without requiring custom runtime extensions.

If PHP can execute it, someone determined enough can eventually reverse engineer it.

That’s reality.

Obfuscation exists for a different reason.

It dramatically raises the cost of copying your work.

For some commercial applications, that’s a fair level of protection.

We’re not trying to defeat nation-state intelligence agencies here.

We’re trying to stop casual copying, unauthorized modifications, and competitors looking for an easy shortcut.

Different problem.

Different solution.


Ready for CI/CD, not just local machines

I included a ready-to-use GitHub Action, making it easy to integrate into your existing CI/CD pipeline. Every tagged release or production build can produce consistently obfuscated code without anyone remembering to run another command.

Add it to your release Github Action to obfuscate your code automatically:

steps:
  - uses: iserter/[email protected]
    with:
      source: 'src'
      output: 'dist'

Available on Packagist/Composer too.

Install:

composer require iserter/php-obfuscator --dev

Use:

vendor/bin/obfuscate src/ -o dist/

Or use via Docker

If you’re a hygine freak for your host system, then here’s how you can use via Docker:

docker run --rm -v $(pwd):/app iserter/php-obfuscator src/ -o out/

See it on Github:

Repository:

github.com/iSerter/php-obfuscator

Leave a Comment