Other than just hashing the password like that:
password_hash($password, PASSWORD_BCRYPT);
What is the recommended rounds of iteration for bcrypt? I know for certain that four rounds of blowfish are susceptible to a second-order differential attack but the server utilizing the process of hashing would probably be fine with a lot bigger cost in most cases. 14 rounds can be distinguished from a pseudorandom permutation so that's ruled out as well.
Is 16 the highest possible cost? Also how is the salt being generated (if omitted)?