Question about security layer on OpenLiteSpeed (no ModSecurity)

edumembe

Hi everyone,

First of all, apologies if this has already been discussed — I may have missed it in my searches or not fully understood previous answers.

In the documentation I’ve seen that ModSecurity is only available for Apache and Nginx application roles, so I understand that it doesn’t work with OpenLiteSpeed through the Enhance panel.

My question is:
What security/WAF layer does OpenLiteSpeed rely on when used as an application role in Enhance, without installing or adding anything extra outside of the panel?

More specifically:

Is there any built-in equivalent to ModSecurity (rules, WAF, etc.) for OLS managed from Enhance?

Or is security for OLS-based sites expected to be handled purely at other layers (firewall, Cloudflare/CDN, server-level tools, etc.)?

Are there any recommended best practices for securing WordPress sites on OpenLiteSpeed within Enhance, given that ModSecurity is not available on this role?

Thanks in advance for any clarification — I just want to be sure I understand the security model correctly before deciding whether to use OLS or Nginx/Apache for some production sites.

cPFence

edumembe

According to the Enhance team, WAF support for OLS is planned. Until then, you’ll need a paid security product to enable a server-wide WAF on OLS, all major providers support it.

opsshield

ModSecurity is still available with OLS. Though you need to configure it manually...it really works. There is no real replacement to suggest for ModSec to secure websites that can work within your server limit.