Wordfence + OpenLiteSpeed / LiteSpeed Cache plugin problems

Nadav Levi
(@123nadav)

2 months, 1 week ago
Hello guys, how are you?

I’m trying to clarify and understand two issues related to Wordfence and OpenLiteSpeed.

First, to make things clearer and easier to diagnose, here is my setup:

I’m using an OpenLiteSpeed + WordPress deployment on Google Cloud:
https://docs.litespeedtech.com/cloud/images/wordpress/#__tabbed_1_4

—————————-

Issue 1: Advanced Firewall (WAF) behavior on OpenLiteSpeed

The advanced firewall from Wordfence works a bit differently on OpenLiteSpeed compared to more common setups like cPanel with Apache or Nginx.

On cPanel, Wordfence usually configures everything automatically through the Wordfence interface.
With OpenLiteSpeed, manual intervention is required, according to this documentation:
https://docs.openlitespeed.org/config/php/wordfence/

However, the path shown in the documentation is not accurate for OpenLiteSpeed.
The real path in my setup is:
```
php_value auto_prepend_file /var/www/html/wordfence-waf.php
```
Here is a screenshot from my OpenLiteSpeed GUI:
https://ibb.co/hxWKL6zY

The issue is that when I activate Advanced Protection in the Wordfence interface, Wordfence still tries to write code into the .htaccess file by default.

Here is a screenshot of my .htaccess:
https://ibb.co/Ggp37Xz

In the past, I used to delete this code from .htaccess. Over the years, while testing and toggling Advanced Protection on and off, I ended up leaving it there.

My questions are:
- If this .htaccess code is not effective on OpenLiteSpeed, can it cause any problems?
- Should I keep it or delete it?
- What is the actual impact of having this Wordfence-generated code inside .htaccess on OpenLiteSpeed?
—————————-

Issue 2: LiteSpeed “noabort” option

Another thing I’d like to clarify is the LiteSpeed noabort option in Wordfence.

In the Wordfence settings, there is an option called:
“Bypass the LiteSpeed ‘noabort’ check”

Since I’m using LiteSpeed, I enabled this option. My question is whether I actually need to enable it or not.

In previous Wordfence scans, I saw warnings related to this setting, which is why I enabled it.
What is the recommended configuration here?

—————————-

Issue 3: Main issue – Severe scan performance and admin freezes

I’m asking all of this because of a much bigger issue that I strongly suspect is related to Wordfence working together with:
- OpenLiteSpeed
- LiteSpeed PHP (lsphp)
- LiteSpeed Cache plugin
I’m not sure whether this is related to the noabort option or the .htaccess behavior, but I need to understand what’s really happening.

Wordfence scans are extremely intensive, especially when Advanced Protection (WAF) is enabled. Sometimes during scans:
- wp-admin freezes completely
- SSH access shows normal CPU and RAM usage (no overload)
- The backend becomes unresponsive anyway
At first, I didn’t understand why this was happening. I tried enabling the Wordfence option:
“Use low resource scanning (reduces server load by lengthening the scan duration)”

However:
- The scan failed due to limits
- Even without limits, the scan took 45 minutes, which is not normal
- I have other identical websites with the same configuration where scans complete in about 15 minutes
On OpenLiteSpeed servers, there is an idle_children setting.
In the past, LiteSpeed support and I reduced this value from 5 to 1 because too many idle children were waiting for connections.

I strongly suspect that Wordfence scans, or some Wordfence PHP execution (possibly WAF rules), are conflicting with the server, especially with lsphp, which behaves differently from standard PHP implementations.

What I need help with:
- Identifying exactly what is conflicting
- Understanding why scans take 45 minutes
- Determining whether something is misconfigured in Wordfence
- Whether the .htaccess code is contributing to the issue
- Whether there are required OpenLiteSpeed or PHP (php.ini) settings for Wordfence
- Maybe cache realted and need to exluded something from the litespeed cache plugin
- Object Cache? maybe problem with Wordfence. (object cache integrated inside litespeed cache plugin.
LiteSpeed support and I have tried many solutions, but we still haven’t found the root cause.
They are fairly confident that Wordfence is part of the problem as well.

I must to know if have something you know about your plugin with openlitespeed and litespeed-cache plugin i dont know, if it can be a special setting need to set up inside litespeed cache plugin or the openliteserver.

I would really appreciate your guidance and recommendations.

Regards,
Levi

The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)

Thread Starter Nadav Levi
(@123nadav)

2 months ago

The problem is not only the scan. There is also a freezing issue in the backend. I’m pretty sure it’s a connection-related problem (idle_children or a rule in Wordfence conflicting with OLS + LiteSpeed Cache plugin or object cache via Litespeed cache plugin). It could also be related to noabort, but it’s almost impossible to identify the exact script causing it.

I’m about 90% sure it’s either Wordfence or LiteSpeed, because these are the only two plugins working aggressively in the backend. By the way, Wordfence should work smoothly with LiteSpeed, and whether noabort or abort is enabled should not be an issue.

Anyway, I appreciate your help. Let’s see what Wordfence support has to say about this issue.
Plugin Support wfpeter
(@wfpeter)

2 months ago
Hi @123nadav, I’ve tried to track the topic so far as best I can.

Wordfence’s .htaccess code is primarily for Apache-style setups. On OLS, the WAF should be loaded via the PHP auto_prepend_file or OLS PHP config you referenced. Leaving the .htaccess changes in place shouldn’t be harmful as they won’t be used by the server, but they’re not necessary to keep.

In Wordfence, you should only need to enable the “bypass” check if you have a specific Litespeed abort/timeout problem you’re confirming in logs, or you know noabort is globally disabled already by you as the server admin: https://www.wordfence.com/help/advanced/system-requirements/litespeed/

Does I/O also look normal when wp-admin freezes? We have seen some servers with strict I/O limits experience problems that sound similar to this recently. Given that CPU/RAM look normal at that time, this could point to PHP/LSAPI worker/process limits or timeouts (and reducing idle_children sounds like it could cause request starvation under load). Possible issues with LiteSpeed Cache/Object Cache during operations where many requests are being made, like scans, could also be a factor.

Please try:
1. Temporarily disable Litespeed Cache (including object cache) and rerun a scan.
2. Check OLS/LSAPI logs for killed/timeout requests during the scan window and paste them here. It may also be useful to turn on “Enable debugging mode” in the debugging section of the Tools > Diagnostics page and paste the output here if a scan fails or freezes while in-progress.
3. Share the Wordfence diagnostics output for this site to wftest @ wordfence . com. That’d help us recommend any changes if we can see the appropriate configuration items.
When sending diagnostics, add your forum username where indicated (or in the subject line if you send the txt file manually) and respond here afterwards as the inbox is unmonitored.

Many thanks,
Peter.
Thread Starter Nadav Levi
(@123nadav)

2 months ago
Hey @wfpeter, how are you? Long time no see.

I’ll try to answer everything you wrote to me.

Just so you know, I have a dedicated WordPress server on a very strong machine for one WordPress site, so the problem is not resources.

I’m running an E2-small (2 GB RAM, 2 vCPU, 20 GB SSD) on Google Cloud, with OpenLiteSpeed + WordPress on Ubuntu 24, deployed using this image:
https://docs.litespeedtech.com/cloud/images/wordpress/#__tabbed_1_4

No panels at all, so the server is very light. Everything is dedicated to one WordPress website.
The OpenLiteSpeed GUI is like Nginx or Apache, it’s not a control panel.

This is a very strong machine for a single WordPress site. As I said before, even when wp-admin freezes, RAM and CPU are very low.
However, when you mentioned I/O, I must admit Google Cloud does show activity there. LiteSpeed and I already know the issue is related to PHP (lsphp).

I’ll skip the .htaccess topic, as you said, it’s not harmful, so we’ll keep it.

———

1. Noabort

Wordfence scans the main WordPress .htaccess, which contains noabort.

There is also a specific one for AJAX:
https://ibb.co/YnYxKL2

And an env set at the bottom:
https://ibb.co/Ggp37Xz

From what I understand from LiteSpeed, the bottom one, SetEnv noabort 1 and this value is actually for the LiteSpeed panel, and the rule does not really work on OLS. It’s different behavior.

However, Wordfence only scans the .htaccess. In the past, Wordfence showed an error about this, so I checked the “skip” option for noabort in Wordfence settings.

——————-

2. I/O and backend freezing

You’re right about the I/O.

In the past, when the problem was more serious, the I/O graph in Google Cloud was going crazy, not RAM, not CPU, only I/O.

About 5 months ago, LiteSpeed support and I started investigating this much deeper.
We used stderr.log and the idle log (waiting children).

We noticed idle_children were waiting for connections but never receiving them, kind of a loop.
The OpenLiteSpeed deployment ships with 5 idle_children by default, which is a lot.

We reduced it from 5 to 1, and the freezing improved significantly (almost completely stopped).
However, we still get errors in the OLS log and stderr log.

The main issue we’re dealing with now is deadlocks (this may not be directly related to Wordfence, still investigating).

I know the logs clearly say LSAPI, but it’s triggered by WordPress PHP, usually during Wordfence scans.

———————

3. Wordfence scan issues and timing

A. I noticed that when I enable this option, the scan never finishes properly:

“Scan images, binary, and other files as if they were executable”

B. Another problematic option:

“Use low resource scanning (reduces server load by lengthening the scan duration)”

Regarding option A, I don’t know why, but when it’s enabled, the scan never finishes.

Regarding option B, the scan sometimes finishes, but it takes a very long time, about 40 minutes to scan ~150 MB (and that’s the entire site size, Wordfence doesn’t even scan everything).

This is not normal, and I suspect there may be some lsphp conflict with this option.

Currently, scans finish only if I disable both options.

————————–

4. Wordfence rules

This is a very tricky part.

I have extended protection with the WAF enabled in the main php.ini of OpenLiteSpeed. It works, Wordfence shows everything is OK.

When you do this, the default Wordfence rule set is activated.

I see many rules related to OBJECT, CACHE, LiteSpeed, etc., and some of these may conflict with LiteSpeed and the object cache (especially the object cache, btw object-cache.php file created by the LiteSpeed Cache plugin).

One issue not clearly connected to LiteSpeed is plugin updates. (i pretty sure is worfence set of rules)

I have two PRO plugins that do not auto-update, and I suspect the rules are blocking them:
- WP Google Maps Pro
- RankMath Pro (updates sometimes, but not always)
These are not small plugins:
https://www.wpgmaps.com/support/
https://rankmath.com/

The free versions update normally (from ww.wp.xz.cn), but the PRO versions do not.

I suspect there’s a rule blocking updates for PRO plugins not hosted on ww.wp.xz.cn.

——————————

5. LiteSpeed plugin

I never thought about disabling LiteSpeed and running a scan, I’ll try it.

In general, disabling the LiteSpeed plugin on this server is problematic. The deployment is designed to work with this plugin.

The moment I disable it, the server behavior changes. It will work, but we won’t get realistic results.

I have tested it before, the site works, but for Wordfence testing, I’ll try again.

——————————-

6. Enabling debug mode in Wordfence

I’m looking at this now and I’m willing to enable it, but I want to ask first:

Does this debug mode enable WordPress debug (e.g., WP_DEBUG in wp-config.php)?

If yes, I prefer not to enable it.
If it’s internal to Wordfence only, then I have no problem enabling it.

——————————–

7. Disable reading of php://input

You mentioned that lsphp may conflict with this option.

I currently have the default Wordfence configuration, and this option is unchecked.

Should I enable it?

Reference:
https://www.wordfence.com/help/?query=diagnostics-option-debugging-mode&utm_source=plugin&utm_medium=pluginUI&utm_campaign=docsIcon

I know this is long.
If you can at least answer points 6 and 7, I’ll run the scans and send you the report you asked for at wftest @ wordfence. com.

Regards,

Levi

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.