Experiencing a PHP Deprecated warning related to allowurlinclude in your cPanel or WHM environment? This warning typically appears because the allow_url_include setting is still enabled in your PHP configuration, and this feature has been marked as deprecated and is often disabled by default in modern PHP versions due to significant security risks.
The allow_url_include setting, when enabled, permits PHP scripts to include remote files using URL wrappers like http:// or ftp://. While this might seem convenient, it creates a major security vulnerability. Attackers could potentially trick your scripts into including malicious code from external websites, leading to website compromise, data theft, or other harmful activities. Therefore, disabling allow_url_include is the strongly recommended and standard solution for security reasons.
Here’s how you can fix this warning and disable the problematic setting within your cPanel or WHM managed server.
If you have WHM access (usually for server administrators), you have multiple ways to address this:
Using EasyApache 4: This is the primary tool in WHM for managing PHP and web server configurations.
- Navigate to WHM -> Software -> EasyApache 4.
- Click “Customize” for your current profile.
- Go to the “PHP Options” stage.
- Search for
allow_url_include. - Ensure the setting is disabled. If it’s enabled, toggle it off.
- Proceed through the stages and “Provision” the changes. This applies the setting system-wide for the PHP versions you are configuring.
Using MultiPHP INI Editor (WHM): This allows you to edit the
php.inisettings for specific PHP versions or set system-wide defaults.- Navigate to WHM -> Software -> MultiPHP INI Editor.
- Choose the PHP version you want to modify from the dropdown.
- Scroll down or search for
allow_url_include. - Set its value to
Off. - Apply the changes. This modifies the core
php.inifor that PHP version.
Using Tweak Settings (WHM): Sometimes, a global override can be found here.
- Navigate to WHM -> Server Configuration -> Tweak Settings.
- Go to the “PHP” tab.
- Look for an option related to
allow_url_includeor similar PHP security settings. - Ensure it’s set to the most secure option, which is typically disabled.
If you only have cPanel access for a specific account:
- Using MultiPHP INI Editor (cPanel): This tool allows individual users to modify PHP settings for their account or specific domains.
- Log in to your cPanel account.
- Navigate to Software -> MultiPHP INI Editor.
- Select your home directory or a specific domain from the dropdown.
- Scroll down or search for
allow_url_include. - Set its value to
Off. - Click “Apply”. This creates or modifies a local
php.inior.user.inifile that overrides the global setting for your account or the selected domain.
After making the change, it’s often necessary to wait a few minutes for the configuration to reload or sometimes restart the web server (Apache or LiteSpeed) for the change to take full effect system-wide, although cPanel/WHM tools usually handle this automatically.
By disabling allow_url_include, you effectively remove the deprecated warning and significantly enhance the security of your website and server by closing a critical vulnerability. This is a necessary step in maintaining a secure and up-to-date PHP environment.
Source: https://focusnic.com/blog/solusi-php-deprecated-directive-allow_url_include/
