Running WHMCS on a WHM/cPanel server stack that includes LiteSpeed, Imunify360, and CloudLinux with CageFS can sometimes produce unexpected results. One issue we encountered was that WHMCS reported allow_url_fopen as Off even though every global and local php.ini was correctly set to On. This prevented WHMCS from performing automatic updates.
Server Setup
- WHM/cPanel: 130.0.7
- Web Server: LiteSpeed
- Security: Imunify360
- Operating System: CloudLinux with CageFS
The Problem
Inside WHMCS’s system health check, allow_url_fopen showed as Off. PHP CLI and site-level phpinfo() both reported On. This discrepancy meant WHMCS refused to run automatic updates. Searching through php.ini, .user.ini, and additional PHP include files revealed no setting forcing it Off. Yet, the WHMCS PHP runtime continued to display it disabled.
Root Cause
A deep scan uncovered that Imunify360 was injecting PHP hardening values through its LiteSpeed vendor configuration. Specifically, the file:
/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-litespeed/php_data
contained an entry for allow_url_fopen which LiteSpeed interpreted as disabled at runtime.
Why Normal Fixes Failed
Attempts to enable allow_url_fopen through:
- MultiPHP INI Editor
- Local
php.iniand.user.inioverrides - Global php.ini in
/opt/cpanel/ea-php83/root/etc/
all failed. Imunify360 does not expose a direct toggle for allow_url_fopen outside its PHP Selector, and even that setting had no effect.
The Fix
The reliable solution was to manually override the Imunify360 vendor configuration by applying a persistent server-level directive.
Step 1: Edit Global Post VirtualHost Config
Edit the following file:
/etc/apache2/conf.d/includes/post_virtualhost_global.conf
Step 2: Add Override
Insert this directive:
php_admin_value allow_url_fopen On
Step 3: Rebuild and Restart
Apply the changes with these commands:
/scripts/ensure_vhost_includes --all-users
/scripts/rebuildhttpdconf
/scripts/restartsrv_httpd
Result
After restarting LiteSpeed, WHMCS phpinfo() correctly displayed allow_url_fopen as On. Automatic updates resumed functioning as expected.
Conclusion
If WHMCS shows allow_url_fopen as Off despite every php.ini being set to On, and your server stack includes LiteSpeed and Imunify360, check the php_data file under Imunify’s vendor configs. Applying a manual php_admin_value override in post_virtualhost_global.conf ensures your settings persist across Imunify updates and restores WHMCS automatic update functionality.
#WHMCS #WebHosting #cPanel #PHPSecurity #WebDevelopment