"No external libraries. No blind trust. No compromise." AGPLv3 β Open Source Core. Built for humans, not for SaaS margins.
This project is a Proof of Concept (PoC) and part of ongoing research and development at VisionGaia Technology. It is not a certified or production-ready product.
Use at your own risk. The software may contain security vulnerabilities, bugs, or unexpected behavior. It may break your environment if misconfigured or used improperly.
Do not deploy in critical production environments unless you have thoroughly audited the code and understand the implications. For enterprise-grade, verified protection, we recommend established and officially certified solutions.
Found a vulnerability or have an improvement? Open an issue or contact us.
- NEW MODULE: VGT Shield β SHA-256 Proof-of-Work Anti-Bot Engine (Zero-UI, Zero-Cloud, DSGVO-compliant)
- Security: All database outputs now fully escaped β comprehensive output escaping across the entire codebase
- WordPress Marketplace Compliance: All files reviewed and adapted to meet official WordPress plugin guidelines
- MU-Deployer: Removed one-click deployment β the plugin now generates a script that must be uploaded manually via FTP (WordPress policy requirement)
- Red Team Validation: 3 Python-based red team test scripts added to the repository for community validation of Sentinel CE
- Ongoing: New regex filter signatures added to AEGIS
- Ongoing: Internal red team evaluation sessions to continuously improve Community Edition coverage
VGT Sentinel Community Edition is a modular, zero-dependency WordPress security framework engineered to neutralize deterministic attack vectors without sacrificing performance.
It is the open-source core of the VGT Sentinel suite β a battle-hardened, multi-layered defense system built on a Zero-Trust architecture. Every request is inspected, every header hardened, every upload analyzed, every file hashed, and every bot challenged.
Traditional WordPress Security:
β Single plugin = single point of failure
β Shared hosting overhead
β No outbound control
β No filesystem integrity monitoring
VGT Sentinel ZTNA Security Stack:
β Stream-based WAF (AEGIS) β SQLi, XSS, RCE, LFI neutralized
β Kernel Hardening (TITAN) β Server fingerprint masked
β Stealth Engine (HADES) β WordPress architecture obfuscated
β Access Guard (CERBERUS) β IP-validated brute-force prevention
β Outbound Control (STYX LITE) β Data exfiltration blocked
β Payload Sanitizer (AIRLOCK) β Binary upload inspection
β Integrity Monitor (CHRONOS) β SHA-256 filesystem diff-hashing
β Anti-Bot Engine (VGT SHIELD) β Zero-UI PoW bot defense (NEW)
Incoming HTTP Request
β
CERBERUS (Pre-Auth IP Validation)
β Cloudflare CIDR verification
β X-Forwarded-For spoofing prevention
β Brute-force state via RAM/Object Cache
β Hook Priority 1 β fires before WP user logic
β
AEGIS WAF (Stream Inspection)
β php://input scanned in 4KB binary chunks
β Overlap-buffer for boundary-spanning patterns
β 512KB scan limit (Memory Exhaustion prevention)
β Tarpit: Socket-Drop + Connection: Close on critical hit
β
TITAN (Kernel Hardening)
β Security headers injected
β X-Powered-By camouflage (Laravel / Drupal / Django)
β XML-RPC blocked, REST API locked to auth sessions
β .env / wp-config.php / .git access denied at .htaccess level
β
HADES (Stealth Engine)
β URL rewrites mask WordPress directory structure
β Custom slugs for wp-admin and wp-login.php
β
VGT SHIELD (Anti-Bot / PoW Engine) β NEW IN V1.5.0
β SHA-256 cryptographic challenge issued by PHP server
β Web Worker mines proof-of-work in isolated browser thread
β X-VGT-Shield-PoW header injected into form submissions
β Server validates hash in <10ms β replay protection (TTL 1800s)
β
AIRLOCK (Upload Inspection)
β Magic Byte analysis on 4KB header/footer chunks
β PHP wrapper, Base64 and exec-pattern detection
β Polyglot file prevention
β
CHRONOS (Async Integrity Monitor)
β SHA-256 against integrity_matrix.php baseline
β mtime + size pre-filter before hash computation
β Ghost Trap honeypot triggers IP blacklisting on access
β Cron-sliced execution (max 20s) β PHP timeout safe
β
STYX LITE (Outbound Control)
β Telemetry Kill Switch for api.wordpress.org
β Supply-chain exfiltration blocked
Stream-based WAF for real-time payload inspection.
| Parameter | Value |
|---|---|
| Engine | Deterministic Regex Pattern Matching |
| Scan Limit | 512 KB (Memory Exhaustion prevention) |
| Read Strategy | php://input binary stream in 4KB chunks with overlap buffer |
| Protected Vectors | SQLi, XSS, RCE, LFI, Malicious User Agents |
| Threat Response | Immediate socket-drop (Connection: Close) before header send |
Application-layer hardening and server signature masking.
Headers Enforced:
β X-XSS-Protection
β X-Frame-Options: SAMEORIGIN
β X-Content-Type-Options: nosniff
β Referrer-Policy
β Permissions-Policy
Camouflage Engine:
β X-Powered-By spoofed to: Laravel | Drupal | Django
API Lockdown:
β XML-RPC: BLOCKED (full)
β REST API: Auth-only sessions
β RSS/Atom: DISABLED
Protected Paths (.htaccess):
β .env | .git | wp-config.php | composer.json | Vault directories
Architecture obfuscation to prevent automated WordPress fingerprinting.
URL Rewrite Map:
| Original Path | Masked Path |
|---|---|
wp-content/themes |
content/ui |
wp-content/plugins |
content/lib |
wp-content/uploads |
storage |
wp-includes |
core |
wp-admin |
(Custom Slug) |
wp-login.php |
(Custom Slug) |
Webserver Support: Apache (auto via .htaccess) Β· Nginx (static rule injection) Β· LiteSpeed
Pre-authentication IP validation and brute-force defense.
| Feature | Detail |
|---|---|
| True-IP Detection | Native Cloudflare CIDR validation β prevents X-Forwarded-For spoofing |
| Fail-State Tracking | RAM/Object Cache via WordPress Transients |
| Hook Priority | 1 on authenticate β fires before any WP user logic loads |
Network-layer control against data exfiltration and supply-chain attacks.
Telemetry Kill Switch β Blocked Domains:
β api.wordpress.org
β downloads.wordpress.org
β s.w.org
Supply-Chain Protection:
β Blocks unintended external communication from compromised plugins
Binary-level analysis of all file uploads (multipart/form-data).
| Feature | Detail |
|---|---|
| File Policy | Strict allowlist β only pre-approved safe formats |
| Large File Strategy | Memory-safe chunked read β 4KB header/footer scan for files >2MB |
| Magic Byte Inspection | Detects real file type regardless of extension |
| Polyglot Prevention | Blocks PHP wrappers, Base64 obfuscation, exec-patterns in image/document payloads |
Asynchronous filesystem integrity monitoring with honeypot tripwire.
Differential Hashing:
β SHA-256 verified against integrity_matrix.php (PHP-formatted β prevents web exposure)
β mtime + size pre-filter: hash only runs when metadata changes
Ghost Trap:
β Honeypot file: wp-admin-backup-restore.php
β HTTP access = immediate IP blacklisting
Execution Safety:
β Async State Machine β max 20s Cron-Slice
β No PHP timeout risk on large installations
A high-performance, DSGVO-compliant reCAPTCHA alternative for WordPress. Eliminates bot interactions through a server-validated Proof-of-Work engine that operates entirely without user interaction and without external data transfers (Zero-Cloud).
No checkbox. No "I'm not a robot". No Google requests. No cookies. Instead: invisible, mathematical bot defense directly in the browser.
| Feature | Description |
|---|---|
| Zero-UI Bot Defense | End users see no captchas or checkboxes β security operates invisibly in the background |
| SHA-256 PoW Engine | Cryptographic challenge-response via bitwise hashing, isolated in a Web Worker |
| 100% DSGVO-compliant | No third-party requests, no cookies, no tracking |
| Zero-Cloud | Fully server-side β no external APIs, no CDNs |
| Replay Protection | Every hash is valid exactly once β TTL: 1800 seconds |
| Deep Plugin Scanner | AST-regex parsing detects installed form plugins and integrates them automatically |
| Network Layer Hijacking | Automatic interception of network requests for PoW header injection |
| <10ms Server Validation | Minimal latency on server-side hash verification |
| Dark/Light Mode | Neural Aesthetics admin dashboard with full theme support |
How it works:
Client (Browser)
β
βΌ
GET /wp-json/vgt-shield/v1/challenge
β PHP server issues cryptographic challenge
β
βΌ
Web Worker (Isolated Thread)
β SHA-256 Bitwise Hashing
β Mines proof-of-work solution (no UI blocking)
β
βΌ
Form Submission / AJAX Request
β X-VGT-Shield-PoW header injected
β Server validates hash (<10ms)
β Hash marked as used (replay protection)
β
βΌ
β
Legitimate user β form processed
β Bot (no valid PoW) β request blocked
Native integrations: WooCommerce Β· Contact Form 7 Β· WPForms Β· Gravity Forms Β· WordPress Core Comments
The repository includes 3 Python-based red team test scripts for independent validation of Sentinel CE. These tools allow the community to verify that each module is functioning as expected against their own installations.
β οΈ Only use against your own servers. Running these scripts against third-party systems without explicit authorization is illegal.
| Script | Module Tested | Technique |
|---|---|---|
redteam_aegis.py |
AEGIS WAF | SQLi, XSS, RCE, LFI payload injection β validates block rate and response behavior |
redteam_cerberus.py |
CERBERUS | Brute-force simulation with IP rotation β validates fail-state tracking and lockout |
redteam_shield.py |
VGT SHIELD | Bot simulation without PoW β validates challenge-response enforcement |
Run them from an isolated environment after activating Sentinel CE on a test WordPress installation. Each script outputs a structured report with block rate, response codes, and latency metrics.
Zero performance tax. Maximum coverage.
| Optimization | Mechanism |
|---|---|
| Fast-Path Routing | Static assets bypass WAF inspection entirely β saves >90% CPU cycles |
| Stream Chunking | Payload inspection via chunked reads β low, stable RAM footprint |
| Async Scheduling | CHRONOS runs in time-sliced cron β never blocks request handling |
| Web Worker Isolation | VGT SHIELD PoW mining runs in isolated thread β zero UI blocking |
| Zero Dependencies | No external libraries β no supply chain risk, no overhead |
| Component | Detail |
|---|---|
| PHP | 7.4+ (Recommended: 8.1+) |
| Webserver | Apache (auto), Nginx (manual rule injection), LiteSpeed |
| Page Builders | Bridge Manager auto-disables conflicting DOM/header interventions for Elementor, Divi, Oxygen |
| VGT Ecosystem | Native VisionLegalPro support via Shadow-Net Asset Routing |
| VGT Myrmidon | AEGIS Co-op Mode β whitelists Myrmidon ZTNA API endpoints automatically |
| WordPress Marketplace | Fully compliant with WordPress plugin guidelines as of V1.5.0 |
As of V1.5.0, the entire codebase has been reviewed and adapted to meet official WordPress plugin directory guidelines:
- Output escaping: All database outputs and dynamic values are now fully escaped using WordPress core functions (
esc_html,esc_attr,esc_url,wp_kses) throughout the entire plugin - MU-Deployer: One-click MU plugin deployment has been removed per WordPress policy. The plugin now generates a ready-to-use script that must be uploaded manually to
wp-content/mu-plugins/via FTP or SFTP - Code Standards: All files reviewed for compliance with WordPress Coding Standards
DISCLAIMER: The Community Edition (Silber Status) operates on a deterministic rule engine. It provides a robust shield against standardized, automated botnets, scrapers, and known attack vectors.
The following capabilities are exclusive to VGT Sentinel Pro / Platin Status:
| Capability | Silber | Platin |
|---|---|---|
| ORACLE AI β Polymorphic Zero-Day Detection | β | β |
| PROMETHEUS β Dynamic Behavioral Profiling | β | β |
| NEMESIS β Deception-Engine | β | β |
ZEUS β Pre-Boot WAF via auto_prepend_file |
β | β |
| MORPHEUS β Hypervisor for Plugins | β | β |
| GORGON β Global Swarm Intelligence Threat Feed | β | β |
| API CRYPTO VAULT β AES-256-GCM Database Payload Encryption | β | β |
| Deterministic WAF (AEGIS Lite) | β | β |
| Kernel Hardening (TITAN Lite) | β | β |
| Stealth Engine (HADES Lite) | β | β |
| Access Guard (CERBERUS) | β | β |
| Outbound Control (STYX LITE) | β | β |
| Payload Sanitizer (AIRLOCK Lite) | β | β |
| Integrity Monitor (CHRONOS) | β | β |
| Anti-Bot PoW Engine (VGT SHIELD) | β | β |
# 1. Clone into WordPress plugins directory
cd /var/www/html/wp-content/plugins/
git clone https://github.com/visiongaiatechnology/sentinelcom
# 2. Activate in WordPress Admin
# Plugins β VGT Sentinel Community Edition β Activate
# 3. HADES: Configure custom login slug
# Settings β Sentinel β Stealth Engine
# 4. CHRONOS: Generate initial integrity manifest
# Settings β Sentinel β Integrity Monitor β Generate Baseline
# 5. VGT SHIELD: Activate Anti-Bot PoW
# Settings β Sentinel β Shield β EnableMU-Deployer Note: One-click MU deployment is no longer available (WordPress policy). After activating Sentinel, navigate to Settings β Sentinel β MU-Deployer to generate the deployment script, then upload it manually to
wp-content/mu-plugins/via FTP.
On first activation, Sentinel automatically:
β Injects AEGIS WAF into the request lifecycle
β Applies TITAN security headers
β Activates HADES URL rewrites (.htaccess / Nginx rules)
β Initializes CERBERUS fail-state cache
β Generates CHRONOS integrity_matrix.php baseline
β Deploys Ghost Trap honeypot
β Activates STYX outbound kill switch
β Registers VGT SHIELD challenge endpoint (/wp-json/vgt-shield/v1/challenge)
| Tool | Type | Purpose |
|---|---|---|
| βοΈ VGT Sentinel | WAF / IDS Framework | Zero-Trust WordPress security suite β you are here |
| π‘οΈ VGT Myrmidon | ZTNA | Zero Trust device registry and cryptographic integrity verification |
| β‘ VGT Auto-Punisher | IDS | L4+L7 Hybrid IDS β attackers terminated before they even knock |
| π VGT Dattrack | Analytics | Sovereign analytics engine β your data, your server, no third parties |
| π VGT Global Threat Sync | Preventive | Daily threat feed β block known attackers before they arrive |
| π₯ VGT Windows Firewall Burner | Windows | 280,000+ APT IPs in native Windows Firewall |
| Method | Address |
|---|---|
| PayPal | paypal.me/dergoldenelotus |
| Bitcoin | bc1q3ue5gq822tddmkdrek79adlkm36fatat3lz0dm |
| ETH | 0xD37DEfb09e07bD775EaaE9ccDaFE3a5b2348Fe85 |
| USDT (ERC-20) | 0xD37DEfb09e07bD775EaaE9ccDaFE3a5b2348Fe85 |
Pull requests are welcome. For major changes, open an issue first.
Licensed under AGPLv3 β "For Humans, not for SaaS Corporations."
VisionGaia Technology builds enterprise-grade security infrastructure β engineered to the DIAMANT VGT SUPREME standard.
"Sentinel was built because WordPress deserved a security framework that doesn't phone home, doesn't bloat your stack, and doesn't ask you to trust a SaaS dashboard with your attack surface."
Version 1.5.0 β VGT Sentinel Community Edition // Zero-Trust WAF Framework // Deterministic DFA Engine // WordPress Marketplace Ready // AGPLv3