Imunify360 causes aggressive false positives, blocks server owner IP, breaks WordPress admin on DirectAdmin + LiteSpeed

Can

Can

New member
Joined
Nov 1, 2025
Messages
19
Location
TR
Hello,
I’m running DirectAdmin + LiteSpeed Enterprise on AlmaLinux 10 and recently installed Imunify360. After enabling Imunify360’s WAF, I started experiencing extremely aggressive false positives.

Here is what happened:
  • My own IP (server owner) was instantly blocked multiple times
  • Even normal WordPress actions such as installing a theme, updating plugins, or saving settings triggered WAF bans
  • WAF added my IP to chain_DENY through ModSecurity
  • I got locked out of DirectAdmin, WP Admin, SSH (even through VPN/Warp)
  • CSF/LFD and WordFence were NOT the cause
  • The blocking logs clearly showed:
    BFM: mod_security1=748 on my IP
  • Even after whitelisting my IP, the bans continued
  • Removing WordFence made no difference
  • Problem disappeared ONLY AFTER fully removing Imunify360
  • After uninstalling, everything works perfectly: CSF + LFD are stable, no bans, no false positives, WordPress works normally.
It looks like Imunify360’s ModSecurity rules conflict with LiteSpeed + WordPress on DirectAdmin and block legitimate admin actions.

I would like to ask:
  1. Is this a known issue with Imunify360 on DirectAdmin?
  2. Are there recommended ModSecurity configurations for WordPress to avoid these aggressive false positives?
  3. Do most DirectAdmin users rely only on CSF + LFD instead of Imunify360?
  4. Should Imunify360 be avoided in DirectAdmin + LiteSpeed environments?
Any guidance or official recommendations would be appreciated.

Thank you.
 
Can said:
BFM: mod_security1=748 on my IP
Click to expand...

Your IP got blocked by Directadmin Brute Force Manager (BFM), that found the IP violating mod_security rules 748 times. The mod_security rules were probably installed by Imunify360. So it is not about conflicting between Imunify360 and DirectAdmin. The reason is probably that the rules were too strict.

I've got a customer with DirectAdmin + LiteSpeed + Imunify360 (no CSF/LFD is installed at all). Never got a single complain about false positive blocks from them. Everything is running as it should.
 
zEitEr said:
Your IP got blocked by Directadmin Brute Force Manager (BFM), that found the IP violating mod_security rules 748 times. The mod_security rules were probably installed by Imunify360. So it is not about conflicting between Imunify360 and DirectAdmin. The reason is probably that the rules were too strict.

I've got a customer with DirectAdmin + LiteSpeed + Imunify360 (no CSF/LFD is installed at all). Never got a single complain about false positive blocks from them. Everything is running as it should.
Click to expand...
Yes, as you said, it was caused by mod_security. I still can’t understand how it flagged all my admin panel actions as dangerous — even though my IP address was already whitelisted.

I guess I need to run the setup without CSF and LFD. On top of that, there are LiteSpeed rules as well. When everything works together at the same time, it seems I unintentionally created the opposite effect.
 
You must log in or register to reply here.
Back
Top