Other than just hashing the password like that:
password_hash($password, PASSWORD_BCRYPT);
What is the recommended rounds of iteration for bcrypt? I know for certain that four rounds of blowfish are susceptible to a second-order differential attack but the server utilizing the process of hashing would probably be fine with a lot bigger cost in most cases. 14 rounds can be distinguished from a pseudorandom permutation so that's ruled out as well.
Is 16 the highest possible cost? Also how is the salt being generated (if omitted)?
In case of BCrypt you do not specify the number of rounds, instead you define a cost factor. The cost factor will be raised to the power of 2, that means, increasing the cost factor by 1, will double the computing time.
$numberofRounds = 2 ^ $costFactor
The default value is currently 10, the highest possible value is currently 31. To determine the cost factor you should go the other way round, measure the time your server needs for different cost factors. Then you can decide what cost factor is bearable for your server.
There is a small example script in the PHP documentation, which helps finding an appropriate cost factor.