Subscribe to our blog
  Print

WHMCS allow_url_fopen Off Blocking Automatic Updates {FIX}

993 Hits

Running WHMCS on a WHM/cPanel server stack that includes LiteSpeed, Imunify360, and CloudLinux with CageFS can sometimes produce unexpected results. One issue we encountered was that WHMCS reported allow_url_fopen as Off even though every global and local php.ini was correctly set to On. This prevented WHMCS from performing automatic updates.

Server Setup

  • WHM/cPanel: 130.0.7
  • Web Server: LiteSpeed
  • Security: Imunify360
  • Operating System: CloudLinux with CageFS

The Problem

Inside WHMCS’s system health check, allow_url_fopen showed as Off. PHP CLI and site-level phpinfo() both reported On. This discrepancy meant WHMCS refused to run automatic updates. Searching through php.ini, .user.ini, and additional PHP include files revealed no setting forcing it Off. Yet, the WHMCS PHP runtime continued to display it disabled.

Root Cause

A deep scan uncovered that Imunify360 was injecting PHP hardening values through its LiteSpeed vendor configuration. Specifically, the file:

/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-litespeed/php_data

contained an entry for allow_url_fopen which LiteSpeed interpreted as disabled at runtime.

Why Normal Fixes Failed

Attempts to enable allow_url_fopen through:

  • MultiPHP INI Editor
  • Local php.ini and .user.ini overrides
  • Global php.ini in /opt/cpanel/ea-php83/root/etc/

all failed. Imunify360 does not expose a direct toggle for allow_url_fopen outside its PHP Selector, and even that setting had no effect.

The Fix

The reliable solution was to manually override the Imunify360 vendor configuration by applying a persistent server-level directive.

Step 1: Edit Global Post VirtualHost Config

Edit the following file:

/etc/apache2/conf.d/includes/post_virtualhost_global.conf

Step 2: Add Override

Insert this directive:

php_admin_value allow_url_fopen On

Step 3: Rebuild and Restart

Apply the changes with these commands:

/scripts/ensure_vhost_includes --all-users
/scripts/rebuildhttpdconf
/scripts/restartsrv_httpd

Result

After restarting LiteSpeed, WHMCS phpinfo() correctly displayed allow_url_fopen as On. Automatic updates resumed functioning as expected.

Conclusion

If WHMCS shows allow_url_fopen as Off despite every php.ini being set to On, and your server stack includes LiteSpeed and Imunify360, check the php_data file under Imunify’s vendor configs. Applying a manual php_admin_value override in post_virtualhost_global.conf ensures your settings persist across Imunify updates and restores WHMCS automatic update functionality.

#WHMCS #WebHosting #cPanel #PHPSecurity #WebDevelopment

1
How do you feel about this post?
Happy (0)
Love (0)
Surprised (0)
Sad (0)
Angry (0)
FTP Doesn't Work or Stops Working
The Turn Group Launches New Website 2025

About the author

The Turn Group

The Turn Group

The Turn Group is a premier CMS Platform "Web Design and Development specialist", renowned for delivering exceptional online digital marketing and branding services. With a focus on quality and innovation, The Turn Group develops high-performing, highly-tailored website solutions to meet the diverse needs of their clients. As a trusted leader in the digital marketing community, The Turn Group is dedicated to helping businesses achieve their online goals.
Author's recent posts
More posts from author
 

Comments

No comments made yet. Be the first to submit a comment
Sunday, 05 October 2025

Creating Online Web Presences Since 2000

With our Nationwide Services – We Build With and Care

We develop in ALL cities and states and are in 62 different countries. Let us know what you need!

Website Design and Development Company The Turn Group

Located in:
We are a U.S. Based and Nationwide Headquarters in Kansas City, MO
By Appointment Only!

OUR SERVICES

OUR SERVICES

ACCOUNT ACCESS

Subscribe to our blog
General Inquiry   |  Sitemap   |  Legal Policies   |  Get a Quote