=== WP Sentinel Security ===
Contributors: wpsentinel
Tags: security, firewall, malware, scanner, waf, brute force, hardening
Requires at least: 5.6
Tested up to: 6.6
Requires PHP: 7.2
Stable tag: 1.0.0
License: GPLv2 or later
License URI: https://www.gnu.org/licenses/gpl-2.0.html

All-in-one WordPress security suite: Web Application Firewall, malware & database scanner, core integrity checks, brute-force protection, hardening and auto-updating signatures.

== Description ==

WP Sentinel Security is a self-contained security plugin that protects a WordPress
site on multiple layers:

* **Web Application Firewall (WAF)** — inspects every request for SQL injection,
  XSS, RCE, LFI/RFI, path traversal and PHP object injection. Supports a
  block mode and a learning (log-only) mode.
* **Rate limiting** — throttles and temporarily bans abusive IPs.
* **Brute-force protection** — locks out IPs after repeated failed logins,
  hides login errors and disables XML-RPC.
* **Malware scanner** — walks the whole filesystem in resumable batches and
  matches files against an updatable signature database plus heuristics.
* **WordPress core integrity** — verifies core files against the official
  WordPress.org checksums to detect modified, missing or injected files.
* **MU-Plugin & Drop-in Guard** — an early-loading guardian (must-use plugin)
  runs before any other mu-plugin, keeps an approved allowlist of legitimate
  mu-plugins and drop-ins (object-cache.php, advanced-cache.php, db.php, …) and
  quarantines anything unknown, modified or matching a malware signature before
  it can execute. Specifically targets stealthy "ClickFix" JavaScript injectors.
* **Infection-aware activation** — when first activated, WP Sentinel does not
  trust the current state: it scans existing mu-plugins, drop-ins, files and the
  database, quarantines anything already hostile, and produces an Initial Threat
  Assessment instead of baselining malware as "clean".
* **Runtime remediation** — while an active infection is being cleaned, the
  output sanitizer strips injected ClickFix JavaScript from public pages and
  removes malicious wp_head/wp_footer hooks, reducing visitor exposure.
* **File-integrity monitoring** — baselines themes, plugins, mu-plugins and
  drop-ins, flags added/changed/removed files, and treats any executable PHP in
  the uploads directory as critical.
* **Re-infection watchdog** — detects malware that keeps re-creating itself and
  escalates the alert so you can hunt the dropper.
* **Database scanner** — checks posts, comments, options and admin users for
  injected scripts, iframes, eval payloads, spam and rogue accounts.
* **Quarantine** — isolates malicious files out of the web root; restore or
  delete them safely.
* **Hardening** — security headers, disables the file editor, hides version
  info, blocks user enumeration, and ships recommended .htaccess rules.
* **Auto-updates** — keeps the plugin and the malware signature database
  current automatically.
* **Scheduled scans, logging and email alerts.**

== Installation ==

1. Copy the `wp-sentinel` folder into `wp-content/plugins/` (or upload the ZIP
   under Plugins → Add New → Upload Plugin).
2. Activate **WP Sentinel Security** through the Plugins menu.
3. Open the **WP Sentinel** menu in the admin sidebar.
4. Run your first scan from **WP Sentinel → Malware Scan**.
5. Review and tune options under **WP Sentinel → Settings** and **Firewall**.

For maximum protection, also add the recommended .htaccess rules shown in
Settings → Hardening, and consider running the firewall as a must-use plugin
(see FAQ).

== Frequently Asked Questions ==

= Does this guarantee my site can never be hacked? =
No security tool can promise that. WP Sentinel significantly raises the bar by
blocking common attacks, detecting malware and hardening the install, but you
should still keep WordPress, themes and plugins updated, use strong passwords,
and maintain off-site backups.

= How do I make the firewall run before the rest of WordPress? =
The firewall already runs very early (on `plugins_loaded`). To run it before
WordPress loads at all, you can set PHP's `auto_prepend_file` to a bootstrap
that loads the firewall, or place a loader in `wp-content/mu-plugins/`. This is
optional and for advanced setups.

= Where do signature updates come from? =
From the JSON feed configured in Settings → Updates (Signature Feed URL). Point
it at your own endpoint. See `signatures.example.json` for the format. Feeds are
validated (every regex must compile) before being trusted.

= Will the scanner flag legitimate code? =
Possibly. Some legitimate plugins use functions like `base64_decode`. Findings
are ranked by severity. Auto-quarantine only triggers on CRITICAL detections and
is OFF by default. Always review before deleting.

= What is the guardian mu-plugin and where is it installed? =
On activation WP Sentinel installs `wp-content/mu-plugins/00-wp-sentinel-guardian.php`.
Because mu-plugins load before regular plugins (and `00-` sorts first), it runs
ahead of any malicious mu-plugin and can quarantine it before it executes. It is
managed automatically - do not edit or delete it manually. If your host blocks
writes to mu-plugins, WP Sentinel shows a notice with a "Retry install" button
and falls back to detecting/quarantining on the next request.

= The guard quarantined a legitimate mu-plugin / object-cache.php. What do I do? =
Open WP Sentinel -> MU-Plugin Guard and either restore it from the Quarantine
page, or approve it so it is added to the trusted allowlist. You chose
auto-quarantine of unknown mu-plugins/drop-ins, so newly added ones are isolated
until you approve them.

== Important security notes ==

* No tool can guarantee a clean site. Detection is signature/heuristic based, so
  a brand-new, unsignatured backdoor can still slip through. Always keep off-site
  backups and review the Initial Threat Assessment after activation.
* The runtime output sanitizer is a stop-gap that protects visitors while you
  clean the source file or database - it is not a substitute for removing the
  malware. It auto-disables once scans come back clean.
* `object-cache.php` and `advanced-cache.php` load even before the guardian, so
  if they are hostile they are quarantined on the next request rather than the
  current one.
* Database injections are flagged for manual review (with edit links) and are
  never modified automatically.

== Changelog ==

= 1.1.0 =
* Added MU-Plugin & Drop-in Guard with an early-loading guardian that blocks
  hostile mu-plugins before they execute.
* Added infection-aware (verify-first) activation and Initial Threat Assessment.
* Added runtime remediation: ClickFix output sanitizer and malicious hook removal.
* Added ClickFix / JavaScript-injection signatures.
* Expanded file-integrity monitoring to mu-plugins, drop-ins and uploads.
* Added re-infection watchdog.

= 1.0.0 =
* Initial release: WAF, malware + database scanner, core integrity, brute-force
  protection, hardening, quarantine, scheduled scans, auto-updating signatures.
