diff --git a/configs/shared-ols/httpd_config_base.tpl b/configs/shared-ols/httpd_config_base.tpl
index 3cb41ec..0b7e09e 100644
--- a/configs/shared-ols/httpd_config_base.tpl
+++ b/configs/shared-ols/httpd_config_base.tpl
@@ -9,11 +9,17 @@
 serverName                shared-ols
 
 ## Real client IP behind HAProxy. HAProxy sets X-Forwarded-For (the real
-## client) and X-Forwarded-Proto. Mode 2 = trust the proxy header. HAProxy is
-## the only thing that ever connects to this tier (it's not publicly exposed),
-## so trusting the header from the docker-network peer is safe — same trust
-## model as the shared httpd's RemoteIPInternalProxy.
-useIpInProxyHeader        2
+## client) and X-Forwarded-Proto. Mode 1 = always use X-Forwarded-For as the
+## client IP. HAProxy is the ONLY thing that ever connects to this tier (it's on
+## client-net with no host-published ports) and it OVERWRITES X-Forwarded-For
+## with %[src] (set-header, not add-header), so a client can't spoof it — mode 1
+## is safe here and matches the working standalone litespeed config.
+## NOTE: mode 2 ("trusted IP only") does NOT mean "trust the proxy header" — it
+## extracts the real IP ONLY when the connecting peer is in a TRUSTED access
+## list, which this tier never configured. With mode 2 + no trusted IP, OLS kept
+## HAProxy's container IP as REMOTE_ADDR for every request, so WP security
+## plugins saw all tenants as one IP and blocking it locked everyone out.
+useIpInProxyHeader        1
 
 ## LSCache enabled at MODULE scope for the whole tier (dedicated cache volume,
 ## ephemeral across rebuilds; OLS auto-keys a per-vhost subdir under storagePath).