Although it's possible to provide a relatively secure cryptography
library that builds on top of mcrypt (the earlier version of
defuse/php-encryption did), switching your code to openssl will
provide better security, performance, maintainability, and
portability.
The argument here isn't that mcrypt is doomed/inherently vulnerable, it's two-fold:
1. OpenSSL is a better choice, especially if you're an average PHP developer who is ignoring cryptographers' advice not to deploy your own crypto implementations
2. If a critical bug is found in libmcrypt, since nobody is maintaining it anymore, it is unlikely to get fixed. You are much safer using a library where patches are still being merged.
CodeIgniter prioritizes OpenSSL over Mcrypt. I swear I did not tip their devs off before I wrote it, Andrey Andreev must have come to a similar conclusion on his own.
- abandonware (fine), bugs, yes, but doesn't invalidate the case if you know the library and the warts
- design flaws make it hard to write correct code, it's crypto, you better know what you are doing regardless of the library
- algorithm identifies are confusing, see point above.