"No external libraries. No blind trust. No compromise." AGPLv3 β Open Source Core. Built for humans, not for SaaS margins.
This project is a Proof of Concept (PoC) Wordpress Security Layer. It is not a Enterprise Plugin, and can be unsafe.
Do not use this in critical production environments. For enterprise-grade kernel-level protection, we recommend established Solutions.
- New Regex Filters
- Red team tests for internal use to evaluate Sentinel VGT Sentinel
- We work every day to improve the Community Edition.
VGT Sentinel Community Edition is a modular, zero-dependency WordPress security framework engineered to neutralize deterministic attack vectors without sacrificing performance.
It is the open-source core of the VGT Sentinel suite β a battle-hardened, multi-layered defense system built on a Zero-Trust architecture. Every request is inspected, every header hardened, every upload analyzed, every file hashed.
Traditional WordPress Security:
β Single plugin = single point of failure
β Shared hosting overhead
β No outbound control
β No filesystem integrity monitoring
VGT Sentinel ZTNA Security Stack:
β Stream-based WAF (AEGIS) β SQLi, XSS, RCE, LFI neutralized
β Kernel Hardening (TITAN) β Server fingerprint masked
β Stealth Engine (HADES) β WordPress architecture obfuscated
β Access Guard (CERBERUS) β IP-validated brute-force prevention
β Outbound Control (STYX LITE) β Data exfiltration blocked
β Payload Sanitizer (AIRLOCK) β Binary upload inspection
β Integrity Monitor (CHRONOS) β SHA-256 filesystem diff-hashing
Incoming HTTP Request
β
CERBERUS (Pre-Auth IP Validation)
β Cloudflare CIDR verification
β X-Forwarded-For spoofing prevention
β Brute-force state via RAM/Object Cache
β Hook Priority 1 β fires before WP user logic
β
AEGIS WAF (Stream Inspection)
β php://input scanned in 4KB binary chunks
β Overlap-buffer for boundary-spanning patterns
β 512KB scan limit (Memory Exhaustion prevention)
β Tarpit: Socket-Drop + Connection: Close on critical hit
β
TITAN (Kernel Hardening)
β Security headers injected
β X-Powered-By camouflage (Laravel / Drupal / Django)
β XML-RPC blocked, REST API locked to auth sessions
β .env / wp-config.php / .git access denied at .htaccess level
β
HADES (Stealth Engine)
β URL rewrites mask WordPress directory structure
β Custom slugs for wp-admin and wp-login.php
β
AIRLOCK (Upload Inspection)
β Magic Byte analysis on 4KB header/footer chunks
β PHP wrapper, Base64 and exec-pattern detection
β Polyglot file prevention
β
CHRONOS (Async Integrity Monitor)
β SHA-256 against integrity_matrix.php baseline
β mtime + size pre-filter before hash computation
β Ghost Trap honeypot triggers IP blacklisting on access
β Cron-sliced execution (max 20s) β PHP timeout safe
β
STYX LITE (Outbound Control)
β Telemetry Kill Switch for api.wordpress.org
β Supply-chain exfiltration blocked
Stream-based WAF for real-time payload inspection.
| Parameter | Value |
|---|---|
| Engine | Deterministic Regex Pattern Matching |
| Scan Limit | 512 KB (Memory Exhaustion prevention) |
| Read Strategy | php://input binary stream in 4KB chunks with overlap buffer |
| Protected Vectors | SQLi, XSS, RCE, LFI, Malicious User Agents |
| Threat Response | Immediate socket-drop (Connection: Close) before header send |
Application-layer hardening and server signature masking.
Headers Enforced:
β X-XSS-Protection
β X-Frame-Options: SAMEORIGIN
β X-Content-Type-Options: nosniff
β Referrer-Policy
β Permissions-Policy
Camouflage Engine:
β X-Powered-By spoofed to: Laravel | Drupal | Django
API Lockdown:
β XML-RPC: BLOCKED (full)
β REST API: Auth-only sessions
β RSS/Atom: DISABLED
Protected Paths (.htaccess):
β .env | .git | wp-config.php | composer.json | Vault directories
Architecture obfuscation to prevent automated WordPress fingerprinting.
URL Rewrite Map:
| Original Path | Masked Path |
|---|---|
wp-content/themes |
content/ui |
wp-content/plugins |
content/lib |
wp-content/uploads |
storage |
wp-includes |
core |
wp-admin |
(Custom Slug) |
wp-login.php |
(Custom Slug) |
Webserver Support: Apache (auto via .htaccess) Β· Nginx (static rule injection) Β· LiteSpeed
Pre-authentication IP validation and brute-force defense.
| Feature | Detail |
|---|---|
| True-IP Detection | Native Cloudflare CIDR validation β prevents X-Forwarded-For spoofing |
| Fail-State Tracking | RAM/Object Cache via WordPress Transients |
| Hook Priority | 1 on authenticate β fires before any WP user logic loads |
Network-layer control against data exfiltration and supply-chain attacks.
Telemetry Kill Switch β Blocked Domains:
β api.wordpress.org
β downloads.wordpress.org
β s.w.org
Supply-Chain Protection:
β Blocks unintended external communication from compromised plugins
Binary-level analysis of all file uploads (multipart/form-data).
| Feature | Detail |
|---|---|
| File Policy | Strict allowlist β only pre-approved safe formats |
| Large File Strategy | Memory-safe chunked read β 4KB header/footer scan for files >2MB |
| Magic Byte Inspection | Detects real file type regardless of extension |
| Polyglot Prevention | Blocks PHP wrappers, Base64 obfuscation, exec-patterns in image/document payloads |
Asynchronous filesystem integrity monitoring with honeypot tripwire.
Differential Hashing:
β SHA-256 verified against integrity_matrix.php (PHP-formatted β prevents web exposure)
β mtime + size pre-filter: hash only runs when metadata changes
Ghost Trap:
β Honeypot file: wp-admin-backup-restore.php
β HTTP access = immediate IP blacklisting
Execution Safety:
β Async State Machine β max 20s Cron-Slice
β No PHP timeout risk on large installations
Zero performance tax. Maximum coverage.
| Optimization | Mechanism |
|---|---|
| Fast-Path Routing | Static assets bypass WAF inspection entirely β saves >90% CPU cycles |
| Stream Chunking | Payload inspection via chunked reads β low, stable RAM footprint |
| Async Scheduling | CHRONOS runs in time-sliced cron β never blocks request handling |
| Zero Dependencies | No external libraries β no supply chain risk, no overhead |
| Component | Detail |
|---|---|
| PHP | 7.4+ (Recommended: 8.1+) |
| Webserver | Apache (auto), Nginx (manual rule injection), LiteSpeed |
| Page Builders | Bridge Manager auto-disables conflicting DOM/header interventions for Elementor, Divi, Oxygen |
| VGT Ecosystem | Native VisionLegalPro support via Shadow-Net Asset Routing |
| VGT Myrmidon | AEGIS Co-op Mode β whitelists Myrmidon ZTNA API endpoints automatically |
DISCLAIMER: The Community Edition (Silber Status) operates on a deterministic rule engine. It provides a robust shield against standardized, automated botnets, scrapers, and known attack vectors.
The following capabilities are exclusive to VGT Sentinel Pro / Platin Status:
| Capability | Silber | Platin |
|---|---|---|
| ORACLE AI β Polymorphic Zero-Day Detection | β | β |
| PROMETHEUS β Dynamic Behavioral Profiling | β | β |
| NEMESIS β Deception-Engine | β | β |
ZEUS β Pre-Boot WAF via auto_prepend_file) |
β | β |
| MORPHEUS β Hypervisor for Plugins | β | β |
| GORGON β Global Swarm Intelligence Threat Feed | β | β |
| API CRYPTO VAULT β AES-256-GCM Database Payload Encryption | β | β |
| Deterministic WAF (AEGIS Lite) | β | β |
| Kernel Hardening (TITAN Lite) | β | β |
| Stealth Engine (HADES Lite) | β | β |
| Access Guard (CERBERUS) | β | β |
| Outbound Control (STYX LITE) | β | β |
| Payload Sanitizer (AIRLOCK Lite) | β | β |
| Integrity Monitor (CHRONOS) | β | β |
# 1. Clone into WordPress plugins directory
cd /var/www/html/wp-content/plugins/
git clone [https://github.com/visiongaiatechnology/vgt-sentinel](https://github.com/visiongaiatechnology/sentinelcom)
# 2. Activate in WordPress Admin
# Plugins β VGT Sentinel Community Edition β Activate
# 3. HADES: Configure custom login slug
# Settings β Sentinel β Stealth Engine
# 4. CHRONOS: Generate initial integrity manifest
# Settings β Sentinel β Integrity Monitor β Generate BaselineOn first activation, Sentinel automatically:
β Injects AEGIS WAF into the request lifecycle
β Applies TITAN security headers
β Activates HADES URL rewrites (.htaccess / Nginx rules)
β Initializes CERBERUS fail-state cache
β Generates CHRONOS integrity_matrix.php baseline
β Deploys Ghost Trap honeypot
β Activates STYX outbound kill switch
| Tool | Type | Purpose |
|---|---|---|
| βοΈ VGT Sentinel | WAF / IDS Framework | Zero-Trust WordPress security suite β you are here |
| π‘οΈ VGT Myrmidon | ZTNA | Zero Trust device registry and cryptographic integrity verification |
| β‘ VGT Auto-Punisher | IDS | L4+L7 Hybrid IDS β attackers terminated before they even knock |
| π VGT Dattrack | Analytics | Sovereign analytics engine β your data, your server, no third parties |
| π VGT Global Threat Sync | Preventive | Daily threat feed β block known attackers before they arrive |
| π₯ VGT Windows Firewall Burner | Windows | 280,000+ APT IPs in native Windows Firewall |
| Method | Address |
|---|---|
| PayPal | paypal.me/dergoldenelotus |
| Bitcoin | bc1q3ue5gq822tddmkdrek79adlkm36fatat3lz0dm |
| ETH | 0xD37DEfb09e07bD775EaaE9ccDaFE3a5b2348Fe85 |
| USDT (ERC-20) | 0xD37DEfb09e07bD775EaaE9ccDaFE3a5b2348Fe85 |
Pull requests are welcome. For major changes, open an issue first.
Licensed under AGPLv3 β "For Humans, not for SaaS Corporations."
VisionGaia Technology builds enterprise-grade security infrastructure β engineered to the DIAMANT VGT SUPREME standard.
"Sentinel was built because WordPress deserved a security framework that doesn't phone home, doesn't bloat your stack, and doesn't ask you to trust a SaaS dashboard with your attack surface."
Version 1.0.0 β VGT Sentinel Community Edition // Zero-Trust WAF Framework // Deterministic DFA Engine // AGPLv3