Stream Mode Error

Hi,
Thanks for you rmessage.
It seems that something goes wrong while executing the request with FileGetContents but I will need more information.

Does the plugin work if Stream Mode is not enabled ?

Are you using the last 2.0.1 version of the plugin ?
Can you try with to enable the “Use cURL to call Local API” option ? (if you have curl installed on your server it won’t use the FileGetContents anymore)
Can you enable the debug mde ( (Advanced -> Enable debug mode) and see if there is more useful message in the wp-content/plugins/crowdsec/logs folder ?

Thanks

• This reply was modified 1 year, 9 months ago by CrowdSec - lightweight and collaborative security engine.

Hi, thank you for your reply.

I have enabled the logs and they do generate.
The server logs don’t show anything.

What is interesting is that if using SSH I try the following command curl -H “X-Api-Key:***” https://localhost:8080/v1/decisions?ip=%5Bmy ip], I get no output. (same if I try v2)

I would assume I am running the latest version, since I just installed crowdsec and the WP plugin a few hours before starting this thread.

Below is my log file with the IP address and application as well as user changed to wordpress. My path would be /home/[user]/webapps/[wordpress-app-name]/wp-content/…

I can’t spot any issues in the console either.

The plugin also seems to show all options even for “Stream Mode” with the toggle set to off.

Whenever I try to change that toggle I get a WordPress “There’s an error on your site” screen, and refreshing it goes back to the plugin dashboard.

2023-02-15T05:01:40.325072+00:00|100|Instantiate client|{"type":"CLIENT_INIT","configs":{"api_key":"***","auth_type":"api_key","tls_cert_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","tls_key_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","tls_verify_peer":false,"tls_ca_cert_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","api_url":"https://localhost:8080","api_timeout":120,"user_agent_version":"v2.0.1","user_agent_suffix":"WordPress"}}
2023-02-15T05:01:40.330354+00:00|100|Instantiate cache|{"type":"CACHE_INIT","configs":{"fs_cache_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../.cache"},"adapter":"Symfony\\Component\\Cache\\Adapter\\TagAwareAdapter"}
2023-02-15T05:01:40.331829+00:00|100|Instantiate remediation engine|{"type":"REM_INIT","configs":{"fallback_remediation":"captcha","stream_mode":false,"clean_ip_cache_duration":60,"bad_ip_cache_duration":120,"geolocation":{"enabled":false,"type":"maxmind","cache_duration":86400,"maxmind":{"database_type":"country","database_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../geolocation/"}},"ordered_remediations":["ban","captcha","bypass"]},"cache":"CrowdSec\\RemediationEngine\\CacheStorage\\PhpFiles"}
2023-02-15T05:01:40.332558+00:00|100|Instantiate bouncer|{"type":"BOUNCER_INIT","logger":"CrowdSec\\Common\\Logger\\FileLog","remediation":"CrowdSec\\RemediationEngine\\LapiRemediation","configs":{"use_curl":true,"debug_mode":true,"disable_prod_log":false,"log_directory_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../logs/","forced_test_ip":"","forced_test_forwarded_ip":"","display_errors":true,"bouncing_level":"flex_bouncing","trust_ip_forward_array":[],"cache_system":"phpfs","captcha_cache_duration":86400,"hide_mentions":false,"custom_css":"","excluded_uris":[]}}
2023-02-15T05:01:48.047865+00:00|100|Instantiate client|{"type":"CLIENT_INIT","configs":{"api_key":"***","auth_type":"api_key","tls_cert_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","tls_key_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","tls_verify_peer":false,"tls_ca_cert_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","api_url":"https://localhost:8080","api_timeout":120,"user_agent_version":"v2.0.1","user_agent_suffix":"WordPress"}}
2023-02-15T05:01:48.053283+00:00|100|Instantiate cache|{"type":"CACHE_INIT","configs":{"fs_cache_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../.cache"},"adapter":"Symfony\\Component\\Cache\\Adapter\\TagAwareAdapter"}
2023-02-15T05:01:48.054896+00:00|100|Instantiate remediation engine|{"type":"REM_INIT","configs":{"fallback_remediation":"captcha","stream_mode":false,"clean_ip_cache_duration":60,"bad_ip_cache_duration":120,"geolocation":{"enabled":false,"type":"maxmind","cache_duration":86400,"maxmind":{"database_type":"country","database_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../geolocation/"}},"ordered_remediations":["ban","captcha","bypass"]},"cache":"CrowdSec\\RemediationEngine\\CacheStorage\\PhpFiles"}
2023-02-15T05:01:48.055634+00:00|100|Instantiate bouncer|{"type":"BOUNCER_INIT","logger":"CrowdSec\\Common\\Logger\\FileLog","remediation":"CrowdSec\\RemediationEngine\\LapiRemediation","configs":{"use_curl":true,"debug_mode":true,"disable_prod_log":false,"log_directory_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../logs/","forced_test_ip":"","forced_test_forwarded_ip":"","display_errors":true,"bouncing_level":"flex_bouncing","trust_ip_forward_array":[],"cache_system":"phpfs","captcha_cache_duration":86400,"hide_mentions":false,"custom_css":"","excluded_uris":[]}}
2023-02-15T05:01:48.481303+00:00|100|Instantiate client|{"type":"CLIENT_INIT","configs":{"api_key":"***","auth_type":"api_key","tls_cert_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","tls_key_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","tls_verify_peer":false,"tls_ca_cert_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","api_url":"https://localhost:8080","api_timeout":120,"user_agent_version":"v2.0.1","user_agent_suffix":"WordPress"}}
2023-02-15T05:01:48.486573+00:00|100|Instantiate cache|{"type":"CACHE_INIT","configs":{"fs_cache_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../.cache"},"adapter":"Symfony\\Component\\Cache\\Adapter\\TagAwareAdapter"}
2023-02-15T05:01:48.488085+00:00|100|Instantiate remediation engine|{"type":"REM_INIT","configs":{"fallback_remediation":"captcha","stream_mode":false,"clean_ip_cache_duration":60,"bad_ip_cache_duration":120,"geolocation":{"enabled":false,"type":"maxmind","cache_duration":86400,"maxmind":{"database_type":"country","database_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../geolocation/"}},"ordered_remediations":["ban","captcha","bypass"]},"cache":"CrowdSec\\RemediationEngine\\CacheStorage\\PhpFiles"}
2023-02-15T05:01:48.488833+00:00|100|Instantiate bouncer|{"type":"BOUNCER_INIT","logger":"CrowdSec\\Common\\Logger\\FileLog","remediation":"CrowdSec\\RemediationEngine\\LapiRemediation","configs":{"use_curl":true,"debug_mode":true,"disable_prod_log":false,"log_directory_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../logs/","forced_test_ip":"","forced_test_forwarded_ip":"","display_errors":true,"bouncing_level":"flex_bouncing","trust_ip_forward_array":[],"cache_system":"phpfs","captcha_cache_duration":86400,"hide_mentions":false,"custom_css":"","excluded_uris":[]}}
2023-02-15T05:01:54.958708+00:00|100|Instantiate client|{"type":"CLIENT_INIT","configs":{"api_key":"***","auth_type":"api_key","tls_cert_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","tls_key_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","tls_verify_peer":false,"tls_ca_cert_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","api_url":"https://localhost:8080","api_timeout":120,"user_agent_version":"v2.0.1","user_agent_suffix":"WordPress"}}
2023-02-15T05:01:54.963942+00:00|100|Instantiate cache|{"type":"CACHE_INIT","configs":{"fs_cache_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../.cache"},"adapter":"Symfony\\Component\\Cache\\Adapter\\TagAwareAdapter"}
2023-02-15T05:01:54.965544+00:00|100|Instantiate remediation engine|{"type":"REM_INIT","configs":{"fallback_remediation":"captcha","stream_mode":false,"clean_ip_cache_duration":60,"bad_ip_cache_duration":120,"geolocation":{"enabled":false,"type":"maxmind","cache_duration":86400,"maxmind":{"database_type":"country","database_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../geolocation/"}},"ordered_remediations":["ban","captcha","bypass"]},"cache":"CrowdSec\\RemediationEngine\\CacheStorage\\PhpFiles"}
2023-02-15T05:01:54.966269+00:00|100|Instantiate bouncer|{"type":"BOUNCER_INIT","logger":"CrowdSec\\Common\\Logger\\FileLog","remediation":"CrowdSec\\RemediationEngine\\LapiRemediation","configs":{"use_curl":true,"debug_mode":true,"disable_prod_log":false,"log_directory_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../logs/","forced_test_ip":"","forced_test_forwarded_ip":"","display_errors":true,"bouncing_level":"flex_bouncing","trust_ip_forward_array":[],"cache_system":"phpfs","captcha_cache_duration":86400,"hide_mentions":false,"custom_css":"","excluded_uris":[]}}
2023-02-15T05:01:55.675763+00:00|100|Instantiate client|{"type":"CLIENT_INIT","configs":{"api_key":"***","auth_type":"api_key","tls_cert_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","tls_key_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","tls_verify_peer":false,"tls_ca_cert_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","api_url":"https://localhost:8080","api_timeout":120,"user_agent_version":"v2.0.1","user_agent_suffix":"WordPress"}}
2023-02-15T05:01:55.676161+00:00|100|Instantiate cache|{"type":"CACHE_INIT","configs":{"fs_cache_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../.cache"},"adapter":"Symfony\\Component\\Cache\\Adapter\\TagAwareAdapter"}
2023-02-15T05:01:55.676814+00:00|100|Instantiate remediation engine|{"type":"REM_INIT","configs":{"fallback_remediation":"captcha","stream_mode":false,"clean_ip_cache_duration":60,"bad_ip_cache_duration":120,"geolocation":{"enabled":false,"type":"maxmind","cache_duration":86400,"maxmind":{"database_type":"country","database_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../geolocation/"}},"ordered_remediations":["ban","captcha","bypass"]},"cache":"CrowdSec\\RemediationEngine\\CacheStorage\\PhpFiles"}
2023-02-15T05:01:55.677104+00:00|100|Instantiate bouncer|{"type":"BOUNCER_INIT","logger":"CrowdSec\\Common\\Logger\\FileLog","remediation":"CrowdSec\\RemediationEngine\\LapiRemediation","configs":{"use_curl":true,"debug_mode":true,"disable_prod_log":false,"log_directory_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../logs/","forced_test_ip":"","forced_test_forwarded_ip":"","display_errors":true,"bouncing_level":"flex_bouncing","trust_ip_forward_array":[],"cache_system":"phpfs","captcha_cache_duration":86400,"hide_mentions":false,"custom_css":"","excluded_uris":[]}}
2023-02-15T05:01:55.679092+00:00|100|Cache result|{"type":"LAPI_REM_CACHED_DECISIONS","ip":"[IP Address Redacted]","result":"miss"}
2023-02-15T05:01:55.679135+00:00|100|Now processing a bouncer request|{"type":"BOUNCER_CLIENT_REQUEST","method":"GET","endpoint":"/v1/decisions","parameters":{"ip":"[IP Address Redacted]"}}
2023-02-15T05:01:55.691466+00:00|100|Decisions have been sorted by priority|{"type":"REM_SORTED_DECISIONS","decisions":[{"0":"bypass","1":1676437375,"2":"lapi-remediation-engine-bypass-ip-[IP Address Redacted]","priority":2}]}
2023-02-15T05:01:56.045773+00:00|100|Instantiate client|{"type":"CLIENT_INIT","configs":{"api_key":"***","auth_type":"api_key","tls_cert_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","tls_key_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","tls_verify_peer":false,"tls_ca_cert_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","api_url":"https://localhost:8080","api_timeout":120,"user_agent_version":"v2.0.1","user_agent_suffix":"WordPress"}}
2023-02-15T05:01:56.051064+00:00|100|Instantiate cache|{"type":"CACHE_INIT","configs":{"fs_cache_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../.cache"},"adapter":"Symfony\\Component\\Cache\\Adapter\\TagAwareAdapter"}
2023-02-15T05:01:56.052650+00:00|100|Instantiate remediation engine|{"type":"REM_INIT","configs":{"fallback_remediation":"captcha","stream_mode":false,"clean_ip_cache_duration":60,"bad_ip_cache_duration":120,"geolocation":{"enabled":false,"type":"maxmind","cache_duration":86400,"maxmind":{"database_type":"country","database_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../geolocation/"}},"ordered_remediations":["ban","captcha","bypass"]},"cache":"CrowdSec\\RemediationEngine\\CacheStorage\\PhpFiles"}
2023-02-15T05:01:56.053345+00:00|100|Instantiate bouncer|{"type":"BOUNCER_INIT","logger":"CrowdSec\\Common\\Logger\\FileLog","remediation":"CrowdSec\\RemediationEngine\\LapiRemediation","configs":{"use_curl":true,"debug_mode":true,"disable_prod_log":false,"log_directory_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../logs/","forced_test_ip":"","forced_test_forwarded_ip":"","display_errors":true,"bouncing_level":"flex_bouncing","trust_ip_forward_array":[],"cache_system":"phpfs","captcha_cache_duration":86400,"hide_mentions":false,"custom_css":"","excluded_uris":[]}}

Hi,
I think we should try to make the Live mode work first (Stream Mode off).

The cURL test is a good start :
1) Create a fake decision for some IP : cscli decisions add --ip 1.2.3.4 --duration 2h --type ban

2) This cURL call should retrieve a result:
curl -H "X-Api-Key: ***" https://localhost:8080/v1/decisions?ip=1.2.3.4

You should have a result like:
[{"duration":"1h59m17.846736476s","id":1,"origin":"cscli","scenario":"manual 'ban' ","scope":"Ip","type":"ban","value":"1.2.3.4"}]

If not, there is something wrong with the crowdsec agent.

If you have a result, we will have to find what is going wrong with the plugin.

Please try the “Test Connection” button (Stream Mode OFF) and see if you have a result or some error in logs. If there is no logs in the plugin log directory, maybe you could find something interestion in the apache logs or nginx logs (depending on what you are using).

Thanks

Just a quick update: After a while with the plugin turned off, the error just disappeared. It may have been a conflict with the LiteSpeed cache plugin. I switched to Memcached, and now it seems to be running. The curl command in SSH now returns null in SSH. I can, however, see the decision in the log file if I have logging enabled, and it seems to be ok.

I am also using a custom wp dashboard which represses some of the alerts, so it may actually try to fire that banner at the top and I may just not be able to see it. Thanks to so many WP plugins using notifications to spam the admin, I disabled most of them.

I added some WordPress and general HTML scenarios and will check to see if any alerts show up. Currently, I have it enabled on 3 sites on the network with various traffic levels to determine if I see any alerts.

I’m starting to think this may just be an issue with the UI rather than the plugin itself… ??

Hi, I’m guessing we responded at the same time. I was able to run the commands you suggested and got the correct output.

The stream mode was set to on when I ran the command. I have several subsites running on the same server, some with a subdomain and some with a mapped domain.

The crowdsec plugin is turned on for only 3 out of 10+ subsites on this network.

Ok!

So it seems to work as expected now.

For information, the cURL call does not depend on any WordPress plugin or cache settings, so it’s weird that it works now (returns null if there is no decision for the tested IP) and wasn’t before (returns nothing).

I let this issue open if you find something new ??

I will close it later.

Thanks

Hi Thank you so much for bearing with me while I figured this thing out. I will run some more tests and update the ticket if I find anything else

Further testing, I added a decision to block an IP, then tried accessing one of the websites which has the Crowdsec Plugin installed, and I can still access the website via that IP address.

I added the decision using:
cscli decisions add –ip x.x.x.x –duration 1h –type ban

I was expected to be blocked…

I enabled Debug on the plugin to have a look at the logs:

2023-02-15T17:03:23.984691+00:00|100|Instantiate client|{"type":"CLIENT_INIT","configs":{"api_key":"***","auth_type":"api_key","tls_cert_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","tls_key_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","tls_verify_peer":false,"tls_ca_cert_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../tls/","api_url":"https://localhost:8080","api_timeout":120,"user_agent_version":"v2.0.1","user_agent_suffix":"WordPress"}}
2023-02-15T17:03:23.986362+00:00|100|Instantiate cache|{"type":"CACHE_INIT","configs":{"memcached_dsn":"memcached://localhost:11211"},"adapter":"Symfony\\Component\\Cache\\Adapter\\MemcachedAdapter"}
2023-02-15T17:03:23.986843+00:00|100|Instantiate remediation engine|{"type":"REM_INIT","configs":{"fallback_remediation":"captcha","stream_mode":true,"clean_ip_cache_duration":60,"bad_ip_cache_duration":120,"geolocation":{"enabled":false,"type":"maxmind","cache_duration":86400,"maxmind":{"database_type":"country","database_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../geolocation/"}},"ordered_remediations":["ban","captcha","bypass"]},"cache":"CrowdSec\\RemediationEngine\\CacheStorage\\Memcached"}
2023-02-15T17:03:23.987321+00:00|100|Instantiate bouncer|{"type":"BOUNCER_INIT","logger":"CrowdSec\\Common\\Logger\\FileLog","remediation":"CrowdSec\\RemediationEngine\\LapiRemediation","configs":{"use_curl":true,"debug_mode":true,"disable_prod_log":false,"log_directory_path":"/home/wordpress/webapps/wordpress/wp-content/plugins/crowdsec/inc/../logs/","forced_test_ip":"","forced_test_forwarded_ip":"","display_errors":false,"bouncing_level":"normal_bouncing","trust_ip_forward_array":[["173.245.048.000","173.245.063.255"],["103.021.244.000","103.021.247.255"],["103.022.200.000","103.022.203.255"],["103.031.004.000","103.031.007.255"],["141.101.064.000","141.101.127.255"],["108.162.192.000","108.162.255.255"],["190.093.240.000","190.093.255.255"],["188.114.096.000","188.114.111.255"],["197.234.240.000","197.234.243.255"],["198.041.128.000","198.041.255.255"],["162.158.000.000","162.159.255.255"],["104.016.000.000","104.023.255.255"],["104.024.000.000","104.027.255.255"],["172.064.000.000","172.071.255.255"],["131.000.072.000","131.000.075.255"]],"cache_system":"memcached","captcha_cache_duration":86400,"hide_mentions":true,"custom_css":"","excluded_uris":[]}}
2023-02-15T17:03:23.987694+00:00|100|Detected IP is allowed for X-Forwarded-for usage|{"type":"AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"172.69.156.151","x_forwarded_for_ip":"[IP Redacted]"}
2023-02-15T17:03:23.988437+00:00|100|Cache result|{"type":"LAPI_REM_CACHED_DECISIONS","ip":"[IP Redacted]","result":"hit"}
2023-02-15T17:03:23.988487+00:00|100|Decisions have been sorted by priority|{"type":"REM_SORTED_DECISIONS","decisions":[{"0":"ban","1":1676483523,"2":"cscli-ban-ip-[IP Redacted]","priority":0}]}

It seems that the bouncer itself does show the ban decision but I can still freely browse the website.

The bouncing level is set to Normal, so I would expect my test device to be blocked.

Thank you

Hi,
Indeed, logs are showing that the cached remediation is a “ban”.
And, as you are in stream mode and your bouncing level is “normal”, you should then see a ban wall (if you access the website with the “IP Redacted IP”).

Do you still have any cache plugin enabled ?

Thanks

Yes, I have LSCache enabled as well as using Cloudflare. (added the proxy IPs in the accepted X-Forwarded for IPs

Could you test to disable LSCache ?

If the html is cached before bouncing can act, then I guess it could lead to your issue.

We had the same issue with WP Super Cache plugin : https://github.com/crowdsecurity/cs-wordpress-bouncer/blob/main/docs/USER_GUIDE.md#auto-prepend-file-mode

I did not test with LSCache but, for the WP Cache plugin, a solution was to use the auto-prepend-file mode (see the above link to).

Please let me know.

Thanks

Hi,
I just released a new 2.0.3 version of the plugin : I guess that won’t solve your problem, but there are more debug messages (about what the bouncer will try to show after the remediation has been recovered).

Maybe it could help us.

Thanks.

• This reply was modified 1 year, 9 months ago by CrowdSec - lightweight and collaborative security engine.

How would auto-prepend work in a multisite setup? .Since the plugin saves the settings to a file, does that mean that all websites would have the same settings? I would actually not mind that one bit

Hi,

I just realized that I did not understand your initial message correctly.
Sorry for that.

This plugin has not been tested with a WordPress “MultiSite feature” installation. And I guess it is not supported. Some users have already multiple WordPress connected to one single CrowdSec agent but they are using individual WordPress sites with a Bouncer plugin for each site (cache can be shared with Redis for example and it is possible to use the same bouncer key)

Considering your last issue : “ban wall is not displayed whereas a ban remediation is logged“, I wasn’t able to test the LiteSpeed cache as it seems to be required to register for some external service. If you can test to disable it and see if this is better, it could help us.

For now, I am not sure if the issue comes from this Cache plugin or from a MultiSite installation (or from something else …).

• If this is a Multisite issue:

I can’t tell if or when we will be able to work on a MultiSite support. There is a feature request for it but I have no idea on the time it will take to add this support. As you mentionned, there is only one static file created for the auto_prepend mode, thus this will be maybe be a part of the work.

• If this is a Lite Speed compatibility issue
  
  If this is the same kind of problem that we had with the WP Super Cache plugin, the problem is that those kind plugin bypasses all the plugin loading process and serves the cached content. One can consider that not bouncing cached content is not a real issue. Uncached content (form POST …) should be still protected. But if showing a ban/captcha wall is really wanted, the auto_prepend mode seems to be the only way to act before such Cache plugins.
  
  
  Thanks again.