"No external libraries. No blind trust. No compromise." AGPLv3 β Open Source Core. Built for humans, not for SaaS margins.
This project is a Proof of Concept (PoC) and part of ongoing research and development at VisionGaia Technology. It is not a certified or production-ready product.
Use at your own risk. The software may contain security vulnerabilities, bugs, or unexpected behavior. It may break your environment if misconfigured or used improperly.
Do not deploy in critical production environments unless you have thoroughly audited the code and understand the implications. For enterprise-grade, verified protection, we recommend established and officially certified solutions.
Found a vulnerability or have an improvement? Open an issue or contact us.
- NEW: Integrated Malware Signature Scanner β 40+ embedded signatures detect known WordPress malware families, webshells, polyglot files, and obfuscation patterns directly within the CHRONOS integrity scanner
- NEW: Two-Stage Scan Architecture β Signature matching runs only on NEW or MODIFIED files (post-integrity-check) β zero overhead on clean systems
- NEW:
MALWAREChange Type β Distinct fromNEW/MODIFIED/DELETED, escalates report status tocritical - HARDENED: AEGIS Regex Engine β Closed encoding evasion vectors and bypass paths:
- Extended
normalize_payload()with HTML Entity, Unicode Escape, and Hex Escape decoding layers - XSS pattern now matches all 60+ HTML event handlers via wildcard (
\bon[a-z]{3,20}\s*=) - SQLi pattern uses non-whitespace separator β closes
1/OR/1=1,1)OR(1=1,1+OR+1=1 - Comment-stripping is now FAIL-CLOSED (
?? ''instead of?? $normalized) - RCE pattern uses lookbehind
(?<![a-zA-Z0-9_])instead of\bβ catches functions preceded by escape chars
- Extended
- Previous (V1.5.0): VGT Shield Anti-Bot module, full WordPress Marketplace compliance, 3 red team test scripts
VGT Sentinel Community Edition is a modular, zero-dependency WordPress security framework engineered to neutralize deterministic attack vectors without sacrificing performance.
It is the open-source core of the VGT Sentinel suite β a battle-hardened, multi-layered defense system built on a Zero-Trust architecture. Every request is inspected, every header hardened, every upload analyzed, every file hashed and signature-matched, and every bot challenged.
Traditional WordPress Security:
β Single plugin = single point of failure
β Shared hosting overhead
β No outbound control
β No filesystem integrity monitoring
VGT Sentinel ZTNA Security Stack:
β Stream-based WAF (AEGIS) β SQLi, XSS, RCE, LFI neutralized
β Kernel Hardening (TITAN) β Server fingerprint masked
β Stealth Engine (HADES) β WordPress architecture obfuscated
β Access Guard (CERBERUS) β IP-validated brute-force prevention
β Outbound Control (STYX LITE) β Data exfiltration blocked
β Payload Sanitizer (AIRLOCK) β Binary upload inspection
β Integrity + Malware Scanner (CHRONOS) β SHA-256 diff + 40+ signatures
β Anti-Bot Engine (VGT SHIELD) β Zero-UI PoW bot defense
Incoming HTTP Request
β
CERBERUS (Pre-Auth IP Validation)
β Cloudflare CIDR verification
β X-Forwarded-For spoofing prevention
β Brute-force state via RAM/Object Cache
β Hook Priority 1 β fires before WP user logic
β
AEGIS WAF (Stream Inspection)
β php://input scanned in 4KB binary chunks
β Overlap-buffer for boundary-spanning patterns
β 512KB scan limit (Memory Exhaustion prevention)
β Tarpit: Socket-Drop + Connection: Close on critical hit
β HARDENED V1.6.0: 4-layer payload normalization
β
TITAN (Kernel Hardening)
β Security headers injected
β X-Powered-By camouflage (Laravel / Drupal / Django)
β XML-RPC blocked, REST API locked to auth sessions
β .env / wp-config.php / .git access denied at .htaccess level
β
HADES (Stealth Engine)
β URL rewrites mask WordPress directory structure
β Custom slugs for wp-admin and wp-login.php
β
VGT SHIELD (Anti-Bot / PoW Engine)
β SHA-256 cryptographic challenge issued by PHP server
β Web Worker mines proof-of-work in isolated browser thread
β X-VGT-Shield-PoW header injected into form submissions
β Server validates hash in <10ms β replay protection (TTL 1800s)
β
AIRLOCK (Upload Inspection)
β Magic Byte analysis on 4KB header/footer chunks
β PHP wrapper, Base64 and exec-pattern detection
β Polyglot file prevention
β
CHRONOS (Integrity + Malware Scanner) β UPGRADED IN V1.6.0
β SHA-256 against integrity_matrix.php baseline
β mtime + size pre-filter before hash computation
β NEW: 40+ malware signatures matched on NEW/MODIFIED files only
β Ghost Trap honeypot triggers IP blacklisting on access
β Cron-sliced execution (max 20s) β PHP timeout safe
β
STYX LITE (Outbound Control)
β Telemetry Kill Switch for api.wordpress.org
β Supply-chain exfiltration blocked
Stream-based WAF for real-time payload inspection.
| Parameter | Value |
|---|---|
| Engine | Deterministic Regex Pattern Matching (Hardened V1.6.0) |
| Scan Limit | 512 KB (Memory Exhaustion prevention) |
| Read Strategy | php://input binary stream in 4KB chunks with overlap buffer |
| Protected Vectors | SQLi, XSS, RCE, LFI, Malicious User Agents |
| Threat Response | Immediate socket-drop (Connection: Close) before header send |
| Normalization Layers | URL, HTML Entity, Unicode Escape, Hex Escape |
| Failure Mode | Fail-Closed PCRE β ReDoS attempts trigger immediate block |
V1.6.0 Hardening Summary:
The pattern set was extended to close gaps that gave manual attackers an evasion path. The new normalizer decodes HTML entities (javascript:), Unicode escapes (\u0073ystem), and hex escapes (\x73ystem) before pattern matching β closing four previously distinct evasion vectors at the input layer. The XSS pattern now matches any on* event handler via wildcard instead of a hardcoded list of five. The SQLi pattern accepts non-whitespace separators between OR/AND and operands, closing payloads like 1/OR/1=1 that bypassed the previous whitespace requirement.
Application-layer hardening and server signature masking.
Headers Enforced:
β X-XSS-Protection
β X-Frame-Options: SAMEORIGIN
β X-Content-Type-Options: nosniff
β Referrer-Policy
β Permissions-Policy
Camouflage Engine:
β X-Powered-By spoofed to: Laravel | Drupal | Django
API Lockdown:
β XML-RPC: BLOCKED (full)
β REST API: Auth-only sessions
β RSS/Atom: DISABLED
Protected Paths (.htaccess):
β .env | .git | wp-config.php | composer.json | Vault directories
Architecture obfuscation to prevent automated WordPress fingerprinting.
URL Rewrite Map:
| Original Path | Masked Path |
|---|---|
wp-content/themes |
content/ui |
wp-content/plugins |
content/lib |
wp-content/uploads |
storage |
wp-includes |
core |
wp-admin |
(Custom Slug) |
wp-login.php |
(Custom Slug) |
Webserver Support: Apache (auto via .htaccess) Β· Nginx (static rule injection) Β· LiteSpeed
Pre-authentication IP validation and brute-force defense.
| Feature | Detail |
|---|---|
| True-IP Detection | Native Cloudflare CIDR validation β prevents X-Forwarded-For spoofing |
| Fail-State Tracking | RAM/Object Cache via WordPress Transients |
| Hook Priority | 1 on authenticate β fires before any WP user logic loads |
Network-layer control against data exfiltration and supply-chain attacks.
Telemetry Kill Switch β Blocked Domains:
β api.wordpress.org
β downloads.wordpress.org
β s.w.org
Supply-Chain Protection:
β Blocks unintended external communication from compromised plugins
Binary-level analysis of all file uploads (multipart/form-data).
| Feature | Detail |
|---|---|
| File Policy | Strict allowlist β only pre-approved safe formats |
| Large File Strategy | Memory-safe chunked read β 4KB header/footer scan for files >2MB |
| Magic Byte Inspection | Detects real file type regardless of extension |
| Polyglot Prevention | Blocks PHP wrappers, Base64 obfuscation, exec-patterns in image/document payloads |
Asynchronous filesystem integrity monitoring with embedded malware signature engine and honeypot tripwire.
Two-Stage Scan Architecture:
Stage 1: Integrity Pre-Filter (existing)
β mtime + size compared against integrity_matrix.php baseline
β Unchanged files reuse cached SHA-256 hash β zero re-hashing
β Changed files proceed to Stage 2
Stage 2: Signature Scan (NEW V1.6.0)
β 40+ embedded malware signatures matched on file content
β 5MB hard size limit per file (DoS prevention)
β PCRE fail-closed β ReDoS-resistant matching
β Runs ONLY on NEW or MODIFIED files
β Zero overhead on clean systems
Ghost Trap (existing):
β Honeypot file: wp-admin-backup-restore.php
β HTTP access = immediate IP blacklisting
Execution Safety:
β Async State Machine β max 20s Cron-Slice
β No PHP timeout risk on large installations
Embedded Malware Signature Categories (40+ patterns):
| Category | Coverage |
|---|---|
| WordPress malware families | wp_vcd injector + markers, pharma hack, WP filemanager backdoor |
| Generic obfuscation | eval+base64, eval+gzinflate, eval+str_rot13, pack hex, chr concat, goto-obfuscation |
| Known webshells | C99, R57, PHPSpy, WeBaCoo, b374k, WSO, FilesMan, ALFA, Marijuana Shell |
| Polyglot files | GIF/JPG/PNG headers + embedded PHP code |
| Direct shell access | shell_exec/passthru/system with $_GET/$_POST/$_REQUEST arguments |
| Remote file inclusion | https://, data://, php://input, php://filter includes |
| Backdoor patterns | create_function with user input, assert($_POST), $auth_pass MD5 markers |
| Cryptominers | Coinhive, Cryptonight, Monero/XMR, xmrig, cpuminer, minerd |
| Header manipulation | Base64-decoded redirects, wp_set_current_user with user input |
Performance characteristics:
On a clean WordPress installation, Stage 2 is never invoked β every file matches its baseline mtime/size and reuses the cached hash. The signature database lives in PHP OPcache as a class constant after first load, with zero file I/O cost. When a file changes legitimately (plugin update, theme modification), it gets one signature scan and one hash computation. When malware is introduced, it gets flagged with a MALWARE change type which escalates the report status to critical.
A high-performance, DSGVO-compliant reCAPTCHA alternative for WordPress. Eliminates bot interactions through a server-validated Proof-of-Work engine that operates entirely without user interaction and without external data transfers (Zero-Cloud).
No checkbox. No "I'm not a robot". No Google requests. No cookies. Instead: invisible, mathematical bot defense directly in the browser.
| Feature | Description |
|---|---|
| Zero-UI Bot Defense | End users see no captchas or checkboxes β security operates invisibly in the background |
| SHA-256 PoW Engine | Cryptographic challenge-response via bitwise hashing, isolated in a Web Worker |
| 100% DSGVO-compliant | No third-party requests, no cookies, no tracking |
| Zero-Cloud | Fully server-side β no external APIs, no CDNs |
| Replay Protection | Every hash is valid exactly once β TTL: 1800 seconds |
| Deep Plugin Scanner | AST-regex parsing detects installed form plugins and integrates them automatically |
| Network Layer Hijacking | Automatic interception of network requests for PoW header injection |
| <10ms Server Validation | Minimal latency on server-side hash verification |
| Dark/Light Mode | Neural Aesthetics admin dashboard with full theme support |
Native integrations: WooCommerce Β· Contact Form 7 Β· WPForms Β· Gravity Forms Β· WordPress Core Comments
The repository includes 3 Python-based red team test scripts for independent validation of Sentinel CE.
β οΈ Only use against your own servers. Running these scripts against third-party systems without explicit authorization is illegal.
| Script | Module Tested | Technique |
|---|---|---|
redteam_aegis.py |
AEGIS WAF | SQLi, XSS, RCE, LFI payload injection β validates block rate and response behavior |
redteam_cerberus.py |
CERBERUS | Brute-force simulation with IP rotation β validates fail-state tracking and lockout |
redteam_shield.py |
VGT SHIELD | Bot simulation without PoW β validates challenge-response enforcement |
Zero performance tax. Maximum coverage.
| Optimization | Mechanism |
|---|---|
| Fast-Path Routing | Static assets bypass WAF inspection entirely β saves >90% CPU cycles |
| Stream Chunking | Payload inspection via chunked reads β low, stable RAM footprint |
| Two-Stage Integrity Scan | Signature scanning skipped entirely on clean files |
| OPcache-Resident Signatures | Malware database loaded once, lives in OPcache β zero file I/O at runtime |
| Async Scheduling | CHRONOS runs in time-sliced cron β never blocks request handling |
| Web Worker Isolation | VGT SHIELD PoW mining runs in isolated thread β zero UI blocking |
| Zero Dependencies | No external libraries β no supply chain risk, no overhead |
| Component | Detail |
|---|---|
| PHP | 7.4+ (Recommended: 8.1+) |
| Webserver | Apache (auto), Nginx (manual rule injection), LiteSpeed |
| Page Builders | Bridge Manager auto-disables conflicting DOM/header interventions for Elementor, Divi, Oxygen |
| VGT Ecosystem | Native VisionLegalPro support via Shadow-Net Asset Routing |
| VGT Myrmidon | AEGIS Co-op Mode β whitelists Myrmidon ZTNA API endpoints automatically |
| WordPress Marketplace | Fully compliant with WordPress plugin guidelines |
DISCLAIMER: The Community Edition (Silber Status) operates on a deterministic rule engine. It provides a robust shield against standardized, automated botnets, scrapers, and known attack vectors.
The following capabilities are exclusive to VGT Sentinel Pro / Platin Status:
| Capability | Silber | Platin |
|---|---|---|
| ORACLE AI β Polymorphic Zero-Day Detection | β | β |
| PROMETHEUS β Dynamic Behavioral Profiling | β | β |
| NEMESIS β Deception-Engine | β | β |
ZEUS β Pre-Boot WAF via auto_prepend_file |
β | β |
| MORPHEUS β Hypervisor for Plugins | β | β |
| GORGON β Global Swarm Intelligence Threat Feed | β | β |
| NEXUS Live Signature Updates β Hot-loadable threat patterns | β | β |
| API CRYPTO VAULT β AES-256-GCM Database Payload Encryption | β | β |
| Deterministic WAF (AEGIS Lite) | β | β |
| Kernel Hardening (TITAN Lite) | β | β |
| Stealth Engine (HADES Lite) | β | β |
| Access Guard (CERBERUS) | β | β |
| Outbound Control (STYX LITE) | β | β |
| Payload Sanitizer (AIRLOCK Lite) | β | β |
| Integrity + Malware Scanner (CHRONOS) | β | β |
| Anti-Bot PoW Engine (VGT SHIELD) | β | β |
# 1. Clone into WordPress plugins directory
cd /var/www/html/wp-content/plugins/
git clone https://github.com/visiongaiatechnology/sentinelcom
# 2. Activate in WordPress Admin
# Plugins β VGT Sentinel Community Edition β Activate
# 3. HADES: Configure custom login slug
# Settings β Sentinel β Stealth Engine
# 4. CHRONOS: Generate initial integrity manifest + signature scan
# Settings β Sentinel β Integrity Monitor β Generate Baseline
# 5. VGT SHIELD: Activate Anti-Bot PoW
# Settings β Sentinel β Shield β EnableMU-Deployer Note: One-click MU deployment is no longer available (WordPress policy). After activating Sentinel, navigate to Settings β Sentinel β MU-Deployer to generate the deployment script, then upload it manually to
wp-content/mu-plugins/via FTP.
On first activation, Sentinel automatically:
β Injects AEGIS WAF into the request lifecycle
β Applies TITAN security headers
β Activates HADES URL rewrites (.htaccess / Nginx rules)
β Initializes CERBERUS fail-state cache
β Generates CHRONOS integrity_matrix.php baseline + signature scan
β Deploys Ghost Trap honeypot
β Activates STYX outbound kill switch
β Registers VGT SHIELD challenge endpoint (/wp-json/vgt-shield/v1/challenge)
| Tool | Type | Purpose |
|---|---|---|
| βοΈ VGT Sentinel | WAF / IDS Framework | Zero-Trust WordPress security suite β you are here |
| π° Throne Guard | Capability Hardening | Strips toxic capabilities from Administrator role |
| π‘οΈ VGT Myrmidon | ZTNA | Zero Trust device registry and cryptographic integrity verification |
| β‘ VGT Auto-Punisher | IDS | L4+L7 Hybrid IDS β attackers terminated before they even knock |
| π VGT Dattrack | Analytics | Sovereign analytics engine β your data, your server, no third parties |
| π VGT Global Threat Sync | Preventive | Daily threat feed β block known attackers before they arrive |
| π₯ VGT Windows Firewall Burner | Windows | 280,000+ APT IPs in native Windows Firewall |
| Method | Address |
|---|---|
| PayPal | paypal.me/dergoldenelotus |
| Bitcoin | bc1q3ue5gq822tddmkdrek79adlkm36fatat3lz0dm |
| ETH | 0xD37DEfb09e07bD775EaaE9ccDaFE3a5b2348Fe85 |
| USDT (ERC-20) | 0xD37DEfb09e07bD775EaaE9ccDaFE3a5b2348Fe85 |
Pull requests are welcome. For major changes, open an issue first.
Licensed under AGPLv3 β "For Humans, not for SaaS Corporations."
VisionGaia Technology builds enterprise-grade security infrastructure β engineered to the DIAMANT VGT SUPREME standard.
"Sentinel was built because WordPress deserved a security framework that doesn't phone home, doesn't bloat your stack, and doesn't ask you to trust a SaaS dashboard with your attack surface."
Version 1.6.0 β VGT Sentinel Community Edition // Zero-Trust WAF Framework // Deterministic DFA Engine // Integrated Malware Scanner // Hardened Pattern Set // WordPress Marketplace Ready // AGPLv3