Official logo for LiteSpeed Web Server WAF

LiteSpeed Web Server WAF

by LiteSpeed Technologies

Free Tier Available
3.8
WAFPlanet Rating

Built-in WAF module for LiteSpeed Web Server providing ModSecurity-compatible protection with high performance and low resource usage.

Visit Website Documentation View Pricing
Company: LiteSpeed Technologies
Pricing: Per-server license
Founded: 2002

Overview

LiteSpeed Web Server, from LiteSpeed Technologies Inc., is a high-performance, Apache-compatible web server used as a drop-in replacement in hosting. Its WAF is a built-in, ModSecurity-compatible engine on a dedicated worker thread pool that applies the OWASP Core Rule Set (CRS v3+) and other rule sets inside the server, not at a cloud edge.

It ships in two editions: OpenLiteSpeed, the free open-source release, and LiteSpeed Enterprise (LSWS), a commercial edition with cPanel/WHM, Plesk, and DirectAdmin integration and .htaccess compatibility. Popular for WordPress via LSCache and QUIC.cloud, it does not enable CRS by default; you must turn on mod_security and install the rule set.

Because it runs inside server software on your own host, the WAF protects only that machine's applications, not a fleet behind a managed edge. Licensing is per server, from a Free Starter tier at $0 to Web Host Elite at $92/month, suiting hosting providers and self-managed WordPress or LAMP stacks rather than a centralized cloud WAF.

Ratings Breakdown

Ease of Use 4.0/5
Value for Money 4.5/5
Customer Support 3.5/5
Features 3.3/5

Key Features

ModSecurity Compatibility

Supports ModSecurity rules with significantly better performance than Apache mod_security.

Built-In WAF

WAF integrated directly into the web server for minimal overhead.

OWASP CRS Support

Compatible with the OWASP Core Rule Set; CRS must be enabled and the rule set installed, it is not active by default.

Pros & Cons

Pros

  • High performance

    Processes ModSecurity rules significantly faster than Apache with mod_security.

  • Free open-source option

    OpenLiteSpeed provides WAF capabilities at no cost.

  • cPanel integration

    Seamless integration with cPanel for hosting environments.

Cons

  • Server-level only

    Protects only applications on the LiteSpeed server; not a cloud WAF.

  • Limited advanced features

    Lacks bot management, API security, and advanced analytics of cloud WAFs.

Pricing

Pricing model: Per-server license

OpenLiteSpeed

Free

Open-source edition with basic WAF

  • ModSecurity compatible WAF
  • OWASP CRS support
  • HTTP/3 and QUIC
  • Community support

LiteSpeed Enterprise

From $0 (1-worker) to $92/month

Commercial edition with full WAF

  • Full ModSecurity compatibility
  • cPanel/WHM integration
  • Apache .htaccess support
  • Priority support

Our Verdict

LiteSpeed WAF offers excellent ModSecurity-compatible protection with superior performance. For hosting providers and WordPress sites already using LiteSpeed, the built-in WAF is a natural and efficient choice.

Our verdict: The best server-level WAF for LiteSpeed environments, especially hosting providers.

CVE Coverage

LiteSpeed Web Server WAF can detect and block attacks matching 105K+ known CVEs based on its supported rule sets.

13K+
Critical
25K+
High
44K+
Medium
1.7K+
Low

Coverage by Attack Type

Cross-Site Scripting (XSS) High
45K+ CVEs
SQL Injection High
19K+ CVEs
Improper Input Validation Medium
12K+ CVEs
Path Traversal High
9.1K+ CVEs
Code Injection Medium
6.5K+ CVEs
OS Command Injection High
5.9K+ CVEs
Unrestricted File Upload Medium
4.1K+ CVEs
Command Injection High
3.6K+ CVEs
Open Redirect Medium
1.5K+ CVEs
XML External Entity (XXE) High
1.2K+ CVEs

Latest Blockable CVEs

CVE Severity
CVE-2026-49294 UNKNOWN
CVE-2026-20262 MEDIUM
CVE-2026-9863 UNKNOWN
CVE-2026-9862 UNKNOWN
CVE-2025-15659 UNKNOWN
CVE-2025-15658 UNKNOWN
CVE-2026-52704 UNKNOWN
CVE-2019-25746 HIGH
CVE-2018-25436 CRITICAL
CVE-2016-20084 HIGH
Browse all CVEs →

Frequently Asked Questions

Is the LiteSpeed WAF based on ModSecurity and OWASP CRS?

Yes. LiteSpeed Web Server includes its own high-performance, ModSecurity-compatible engine that runs standard ModSecurity rule sets, including the OWASP Core Rule Set (CRS v3+), as well as Comodo, Atomicorp, and Imunify360 rules. It is a rules processor built into the server rather than a separate proprietary detection product.

What is the difference between OpenLiteSpeed and LiteSpeed Enterprise?

OpenLiteSpeed is the free, open-source edition; you enable its mod_security module and add CRS rules manually. LiteSpeed Enterprise is the commercial, closed-source edition with control-panel integration (cPanel/WHM, Plesk, DirectAdmin), Apache .htaccess compatibility, and priority support. Both can process ModSecurity and CRS rules.

How much does LiteSpeed Web Server cost?

OpenLiteSpeed is free. LiteSpeed Enterprise is a per-server license: a Free Starter tier (1 worker, under 2GB RAM) at $0, then paid tiers from Site Owner at $10/month up to Web Host Elite at $92/month (multi-worker plus anti-DDoS). Intermediate tiers include Web Host Professional ($46) and Web Host Enterprise ($65).

Does the LiteSpeed WAF protect WordPress sites?

Yes. LiteSpeed is popular for WordPress (it pairs with the LSCache plugin and QUIC.cloud), and the built-in ModSecurity-compatible WAF can apply OWASP CRS rules to protect WordPress and other apps hosted on the server. Note CRS is not active by default; it must be enabled and the rule set installed.

Is LiteSpeed a cloud WAF or server software?

It is server software, not a cloud or edge WAF. The WAF runs inside LiteSpeed Web Server on your own Linux host, so it only protects applications served by that server and offers no centralized multi-site cloud management, bot management, or API-security features found in cloud WAFs.

Ready to try LiteSpeed Web Server WAF?

Start with the free tier and upgrade as you grow.

Visit Website View Pricing