"No external libraries. No blind trust. No compromise." AGPLv3 β Open Source Core. Built for humans, not for SaaS margins.
This project is a Proof of Concept (PoC) and part of ongoing research and development at VisionGaia Technology. It is not a certified or production-ready product.
Use at your own risk. The software may contain security vulnerabilities, bugs, or unexpected behavior. It may break your environment if misconfigured or used improperly.
Do not deploy in critical production environments unless you have thoroughly audited the code and understand the implications. For enterprise-grade, verified protection, we recommend established and officially certified solutions.
Found a vulnerability or have an improvement? Open an issue or contact us.
- New Regex Filters
- Red team tests for internal use to evaluate Sentinel VGT Sentinel
- We work every day to improve the Community Edition.
VGT Sentinel Community Edition is a modular, zero-dependency WordPress security framework engineered to neutralize deterministic attack vectors without sacrificing performance.
It is the open-source core of the VGT Sentinel suite β a battle-hardened, multi-layered defense system built on a Zero-Trust architecture. Every request is inspected, every header hardened, every upload analyzed, every file hashed.
Traditional WordPress Security:
β Single plugin = single point of failure
β Shared hosting overhead
β No outbound control
β No filesystem integrity monitoring
VGT Sentinel ZTNA Security Stack:
β Stream-based WAF (AEGIS) β SQLi, XSS, RCE, LFI neutralized
β Kernel Hardening (TITAN) β Server fingerprint masked
β Stealth Engine (HADES) β WordPress architecture obfuscated
β Access Guard (CERBERUS) β IP-validated brute-force prevention
β Outbound Control (STYX LITE) β Data exfiltration blocked
β Payload Sanitizer (AIRLOCK) β Binary upload inspection
β Integrity Monitor (CHRONOS) β SHA-256 filesystem diff-hashing
Incoming HTTP Request
β
CERBERUS (Pre-Auth IP Validation)
β Cloudflare CIDR verification
β X-Forwarded-For spoofing prevention
β Brute-force state via RAM/Object Cache
β Hook Priority 1 β fires before WP user logic
β
AEGIS WAF (Stream Inspection)
β php://input scanned in 4KB binary chunks
β Overlap-buffer for boundary-spanning patterns
β 512KB scan limit (Memory Exhaustion prevention)
β Tarpit: Socket-Drop + Connection: Close on critical hit
β
TITAN (Kernel Hardening)
β Security headers injected
β X-Powered-By camouflage (Laravel / Drupal / Django)
β XML-RPC blocked, REST API locked to auth sessions
β .env / wp-config.php / .git access denied at .htaccess level
β
HADES (Stealth Engine)
β URL rewrites mask WordPress directory structure
β Custom slugs for wp-admin and wp-login.php
β
AIRLOCK (Upload Inspection)
β Magic Byte analysis on 4KB header/footer chunks
β PHP wrapper, Base64 and exec-pattern detection
β Polyglot file prevention
β
CHRONOS (Async Integrity Monitor)
β SHA-256 against integrity_matrix.php baseline
β mtime + size pre-filter before hash computation
β Ghost Trap honeypot triggers IP blacklisting on access
β Cron-sliced execution (max 20s) β PHP timeout safe
β
STYX LITE (Outbound Control)
β Telemetry Kill Switch for api.wordpress.org
β Supply-chain exfiltration blocked
Stream-based WAF for real-time payload inspection.
| Parameter | Value |
|---|---|
| Engine | Deterministic Regex Pattern Matching |
| Scan Limit | 512 KB (Memory Exhaustion prevention) |
| Read Strategy | php://input binary stream in 4KB chunks with overlap buffer |
| Protected Vectors | SQLi, XSS, RCE, LFI, Malicious User Agents |
| Threat Response | Immediate socket-drop (Connection: Close) before header send |
Application-layer hardening and server signature masking.
Headers Enforced:
β X-XSS-Protection
β X-Frame-Options: SAMEORIGIN
β X-Content-Type-Options: nosniff
β Referrer-Policy
β Permissions-Policy
Camouflage Engine:
β X-Powered-By spoofed to: Laravel | Drupal | Django
API Lockdown:
β XML-RPC: BLOCKED (full)
β REST API: Auth-only sessions
β RSS/Atom: DISABLED
Protected Paths (.htaccess):
β .env | .git | wp-config.php | composer.json | Vault directories
Architecture obfuscation to prevent automated WordPress fingerprinting.
URL Rewrite Map:
| Original Path | Masked Path |
|---|---|
wp-content/themes |
content/ui |
wp-content/plugins |
content/lib |
wp-content/uploads |
storage |
wp-includes |
core |
wp-admin |
(Custom Slug) |
wp-login.php |
(Custom Slug) |
Webserver Support: Apache (auto via .htaccess) Β· Nginx (static rule injection) Β· LiteSpeed
Pre-authentication IP validation and brute-force defense.
| Feature | Detail |
|---|---|
| True-IP Detection | Native Cloudflare CIDR validation β prevents X-Forwarded-For spoofing |
| Fail-State Tracking | RAM/Object Cache via WordPress Transients |
| Hook Priority | 1 on authenticate β fires before any WP user logic loads |
Network-layer control against data exfiltration and supply-chain attacks.
Telemetry Kill Switch β Blocked Domains:
β api.wordpress.org
β downloads.wordpress.org
β s.w.org
Supply-Chain Protection:
β Blocks unintended external communication from compromised plugins
Binary-level analysis of all file uploads (multipart/form-data).
| Feature | Detail |
|---|---|
| File Policy | Strict allowlist β only pre-approved safe formats |
| Large File Strategy | Memory-safe chunked read β 4KB header/footer scan for files >2MB |
| Magic Byte Inspection | Detects real file type regardless of extension |
| Polyglot Prevention | Blocks PHP wrappers, Base64 obfuscation, exec-patterns in image/document payloads |
Asynchronous filesystem integrity monitoring with honeypot tripwire.
Differential Hashing:
β SHA-256 verified against integrity_matrix.php (PHP-formatted β prevents web exposure)
β mtime + size pre-filter: hash only runs when metadata changes
Ghost Trap:
β Honeypot file: wp-admin-backup-restore.php
β HTTP access = immediate IP blacklisting
Execution Safety:
β Async State Machine β max 20s Cron-Slice
β No PHP timeout risk on large installations
Zero performance tax. Maximum coverage.
| Optimization | Mechanism |
|---|---|
| Fast-Path Routing | Static assets bypass WAF inspection entirely β saves >90% CPU cycles |
| Stream Chunking | Payload inspection via chunked reads β low, stable RAM footprint |
| Async Scheduling | CHRONOS runs in time-sliced cron β never blocks request handling |
| Zero Dependencies | No external libraries β no supply chain risk, no overhead |
| Component | Detail |
|---|---|
| PHP | 7.4+ (Recommended: 8.1+) |
| Webserver | Apache (auto), Nginx (manual rule injection), LiteSpeed |
| Page Builders | Bridge Manager auto-disables conflicting DOM/header interventions for Elementor, Divi, Oxygen |
| VGT Ecosystem | Native VisionLegalPro support via Shadow-Net Asset Routing |
| VGT Myrmidon | AEGIS Co-op Mode β whitelists Myrmidon ZTNA API endpoints automatically |
DISCLAIMER: The Community Edition (Silber Status) operates on a deterministic rule engine. It provides a robust shield against standardized, automated botnets, scrapers, and known attack vectors.
The following capabilities are exclusive to VGT Sentinel Pro / Platin Status:
| Capability | Silber | Platin |
|---|---|---|
| ORACLE AI β Polymorphic Zero-Day Detection | β | β |
| PROMETHEUS β Dynamic Behavioral Profiling | β | β |
| NEMESIS β Deception-Engine | β | β |
ZEUS β Pre-Boot WAF via auto_prepend_file) |
β | β |
| MORPHEUS β Hypervisor for Plugins | β | β |
| GORGON β Global Swarm Intelligence Threat Feed | β | β |
| API CRYPTO VAULT β AES-256-GCM Database Payload Encryption | β | β |
| Deterministic WAF (AEGIS Lite) | β | β |
| Kernel Hardening (TITAN Lite) | β | β |
| Stealth Engine (HADES Lite) | β | β |
| Access Guard (CERBERUS) | β | β |
| Outbound Control (STYX LITE) | β | β |
| Payload Sanitizer (AIRLOCK Lite) | β | β |
| Integrity Monitor (CHRONOS) | β | β |
# 1. Clone into WordPress plugins directory
cd /var/www/html/wp-content/plugins/
git clone [https://github.com/visiongaiatechnology/vgt-sentinel](https://github.com/visiongaiatechnology/sentinelcom)
# 2. Activate in WordPress Admin
# Plugins β VGT Sentinel Community Edition β Activate
# 3. HADES: Configure custom login slug
# Settings β Sentinel β Stealth Engine
# 4. CHRONOS: Generate initial integrity manifest
# Settings β Sentinel β Integrity Monitor β Generate BaselineOn first activation, Sentinel automatically:
β Injects AEGIS WAF into the request lifecycle
β Applies TITAN security headers
β Activates HADES URL rewrites (.htaccess / Nginx rules)
β Initializes CERBERUS fail-state cache
β Generates CHRONOS integrity_matrix.php baseline
β Deploys Ghost Trap honeypot
β Activates STYX outbound kill switch
| Tool | Type | Purpose |
|---|---|---|
| βοΈ VGT Sentinel | WAF / IDS Framework | Zero-Trust WordPress security suite β you are here |
| π‘οΈ VGT Myrmidon | ZTNA | Zero Trust device registry and cryptographic integrity verification |
| β‘ VGT Auto-Punisher | IDS | L4+L7 Hybrid IDS β attackers terminated before they even knock |
| π VGT Dattrack | Analytics | Sovereign analytics engine β your data, your server, no third parties |
| π VGT Global Threat Sync | Preventive | Daily threat feed β block known attackers before they arrive |
| π₯ VGT Windows Firewall Burner | Windows | 280,000+ APT IPs in native Windows Firewall |
| Method | Address |
|---|---|
| PayPal | paypal.me/dergoldenelotus |
| Bitcoin | bc1q3ue5gq822tddmkdrek79adlkm36fatat3lz0dm |
| ETH | 0xD37DEfb09e07bD775EaaE9ccDaFE3a5b2348Fe85 |
| USDT (ERC-20) | 0xD37DEfb09e07bD775EaaE9ccDaFE3a5b2348Fe85 |
Pull requests are welcome. For major changes, open an issue first.
Licensed under AGPLv3 β "For Humans, not for SaaS Corporations."
VisionGaia Technology builds enterprise-grade security infrastructure β engineered to the DIAMANT VGT SUPREME standard.
"Sentinel was built because WordPress deserved a security framework that doesn't phone home, doesn't bloat your stack, and doesn't ask you to trust a SaaS dashboard with your attack surface."
Version 1.0.0 β VGT Sentinel Community Edition // Zero-Trust WAF Framework // Deterministic DFA Engine // AGPLv3