On a shared hosting provider using a Softaculous-installed instance of WordPress, installing and enabling SQLLite3 Object Cache breaks the ability to use their admin login bypass (Wordpress redirects to the homepage and WP Cerber will show "deleted invalid cookies" as an underlying action).

Logging in manually via /wp-admin still works in this case, and all site functionality appears normal (and snappier) until logging out and then trying to log back in via the cpanel/Softaculous link.

... the safest workaround on the plugin side would be to skip caching any auth-related keys, especially anything tied to session tokens, cookies, or nonces. In short: make sure the cache never stores or serves stale authentication objects. That should prevent Softaculous’ auto-login flow from breaking while keeping the rest of the cache intact.

...  adjust the plugin's cookie handling logic to ensure it doesn’t conflict with login redirects or WP Cerber's cookie validation.

...

Let me know if you'd like further details on this approach!

... but Softaculous’ auto-login flow depends heavily on very short-lived usermeta and auth-related lookups that normally bypass persistent storage. Even though WordPress doesn’t persist nonces or auth tokens, Softaculous creates (and expects) fresh user session state at the moment the bypass link is clicked. If the object cache is persisting any part of the user’s last session especially get_user_meta(), cached capabilities, or the WP_User object it can cause WP Cerber to treat the Softaculous-issued cookies as “invalid” because the underlying user state doesn’t match what WordPress recomputes during a normal login.

In shared hosting, this becomes more visible because Softaculous and WordPress aren’t always running under the same PHP worker, so stale cache keys linger longer.

A possible fix on the plugin side would be to avoid caching usermeta and capability lookups during authentication requests. Checking for wp-login.php, wp-admin, or is_user_logged_in() during the login handshake only might be enough to force fresh reads on those keys without disabling caching globally. Not a perfect solution, but it narrows the issue to where Softaculous’ bypass actually fails.