The Sentinel guide: how it works, step by step

What is Dunes Sentinel?

A forensic-grade security platform for WordPress: 10 detection engines, real-time defense, forensic and compliance modules, all running in parallel. Zero data leaves your server — all detection is on-device.

How do I install and activate it?

Plugins → Add New → Upload, pick the ZIP, install and activate. Dunes Sentinel appears in the sidebar. Requires WordPress 6.0+ and PHP 7.4+ (8.1+ recommended).

Where do I start?

On activation the setup wizard guides you in 5 minutes: activate your license, create the clean baseline, run the first scan and turn on the recommended defense modules.

How do I activate my license?

Go to the License tab → paste your key (you get it by email on purchase and in your customer panel). To try for free use the dev keys: dev-pro, dev-agency, dev-enterprise.

How do I scan my site?

Go to Dunes Sentinel → Scan and hit Start scan. Sentinel walks your PHP/JS files, the database and the config, running every item through the 10 engines at once. When it finishes you get the findings sorted by severity, and you can watch progress live.

What exactly does the scan check?

Each file goes through: webshell signatures (Patterns), token analysis (AST), entropy, diff against the baseline, fuzzy hashing (Fuzzy Hash), attacker-data tracing (Taint), YARA-Lite rules, JavaScript malware (JS-AST), quality/security audit (SAST) and CVEs in your plugins and themes (Supply Chain).

Can I schedule automatic scans?

Yes. Sentinel schedules a periodic scan via WP-Cron (daily by default) plus a self-pentest at 03:00. You can tune the frequency in settings.

Does scanning slow my site down?

No. It runs in batches in the background with time and memory limits; if the host kills the process it resumes where it left off. Visitors never notice.

What is a finding and how do I read it?

Each detection is a "finding" with file and line, the engine that found it, the rule, the MITRE ATT&CK technique, the severity and a code excerpt. Click for the full detail.

What do the severities mean?

Critical: almost certainly malicious or exploitable — act now. High: very suspicious, review soon. Medium: worth a look. Low / Info: minor or code-quality notice.

How do I know if a virus is really bad?

Open the finding and use the AI Threat Analyst: it explains in plain language what it is, why it triggered and a cleanup plan. True-positive signs: high entropy with obfuscation (eval/base64), a recently modified file (check the Timeline), an odd path (a .php inside uploads), a family match via Fuzzy Hash or a MITRE technique. If it is legitimate code from a known plugin, mark it a false positive and it will stop alerting.

What do I do with a finding?

You have three actions: confirm (it is real), ignore (false positive) or send it to quarantine. Every action is recorded in the tamper-proof audit log.

What is quarantine and what do I do with it?

It isolates a suspicious file without deleting it: Sentinel moves it to an encrypted store outside public reach (wp-content/uploads/dunes-sentinel-quarantine/) so it cannot run, and your site keeps working. From there you decide: restore or destroy.

Restore or destroy?

Restore returns the file to its original location — only if you confirm it was legitimate. Destroy removes it permanently and securely. When in doubt, leave it quarantined: your site is already safe because the file cannot run.

Do I lose anything by quarantining a file?

No. The file is kept intact but stops running, so you can always restore it if it was a false positive. It is the safe default.

What is the IR Playbook and what is it for?

It is an IFTTT-style rule engine ("if X happens, do Y") that automates incident response. When an event fires (repeated failed logins, a DB Shield block, someone touching the decoy admin…), Sentinel evaluates every active playbook and runs its actions: ban the IP, kill sessions, raise the defense level, alert you via webhook, etc. Several ship ready (e.g. "Lockout brute force") and you can build your own.

What do I do if I have been hacked?

Follow the response plan:

1. Isolate: quarantine the affected files and raise defense (WAF/RASP).
2. Investigate: use the Timeline (what changed and when) and Threat Hunting to gauge the scope.
3. Understand: the AI Analyst explains each threat and the plan.
4. Clean: quarantine or destroy the malicious code and use Auto-Clean to restore the WordPress core.
5. Recover: if needed, Time Travel back to a clean snapshot.
6. Harden: change passwords, rotate secrets (Vault) and review admin users.

What is the AI Threat Analyst?

An AI threat analyst: it explains the finding in plain language and proposes a step-by-step cleanup plan. If Dunes AI is active it uses its LLM; otherwise it falls back to local template analysis. Privacy: it only sends metadata (family, rule, MITRE, relative path), never the file contents or your site data.

What is Threat Hunting (DQL)?

A Splunk-like search console with its own language (DQL) over all plugin events: findings, audit, blocks and playbooks, from a single box. Examples: severity:high AND engine:ast, ip:192.168.* OR country:CN, rule_id:CVE-* AND ts:>24h.

Patterns — webshell signatures

80+ regex signatures of webshells and backdoors, each mapped to a MITRE ATT&CK technique. The first line: it recognizes known malware instantly.

AST — token analysis

Tokenizes PHP and analyzes its structure to catch indirect sinks, variable-variables, backticks and RAT combos a plain regex would miss.

Entropy — obfuscated code

Measures Shannon and Chi² entropy over 1KB sliding windows. Encrypted, compressed or packed code has anomalous randomness that gives it away.

Baseline — change detection

Stores a SHA-256 snapshot of your clean site and compares every file against it. Any change, however small, is flagged.

Genome — the file "DNA"

Combines entropy, hashes and fuzzy similarity to compute each file DNA and recognize malware families traditional signatures miss.

Fuzzy Hash — mutated variants

A TLSH-like 32-byte fuzzy hash that recognizes the same malware even when lines were changed to dodge exact signatures.

Taint — dangerous data flow

Traces attacker data ($_GET/$_POST) all the way to the dangerous sinks (RCE, SQLi, LFI, XSS), accounting for sanitizers along the way.

JS AST — JavaScript malware

Analyzes JavaScript for Magecart skimmers, miners (Coinhive), hidden iframes and atob+eval patterns typical of browser fraud.

YARA-Lite — customizable rules

A YARA-style rule engine in lightweight JSON with base64 wrapping, so you can add your own detections.

Code Quality (SAST) — deep audit

Deep static analysis beyond malware: it finds vulnerabilities, quality issues, performance and compatibility problems in your code.

AI Anomaly — anomalous behavior

Applies a robust Z-score (MAD) over the site operational metrics to spot what deviates from normal. Fully on-device, no data leaves.

Shield (WAF) — application firewall

Filters and blocks injection attempts in comments, REST, login and POST requests before they reach your code.

DB Shield — database firewall

Inspects SQL queries and blocks UNION, tautologies, time-based, stacked and out-of-band before they hit the database.

Upload Fortress — upload hardening

Checks real magic bytes, sanitizes SVG, detects polyglots and deceptive unicode filenames so nobody sneaks in a disguised .php.

RASP — runtime self-protection

Six guard rails watching at runtime: it blocks PHP running from uploads, active_plugins tampering, capability escalation and more.

Zero-Trust — zero-trust sessions

Binds each session to a device fingerprint and watches geo-velocity (impossible country hops). If something is off, it cuts access.

Bot Defense — anti-bot defense

A decision tree plus reverse-DNS verification tells the real Googlebot from bots impersonating it.

2FA — two-factor

TOTP second factor (RFC 6238) implemented in pure PHP, with backup codes. Works with Google Authenticator, Authy, etc.

Decoy Admin — decoy login

Turns /wp-admin/ into a honeypot and moves the real panel to a secret URL. Anyone hitting the usual door lands in the decoy.

Vault — secrets vault

Encrypts your secrets (API keys, tokens) with AES-256-GCM and a master key derived with HKDF-SHA256.

AntiSpam — spam without CAPTCHA

Combines honeypot, HMAC token, cosine stylometry and rate limiting to stop spam without bothering users with CAPTCHAs.

CSP — Content Security Policy

Applies Content Security Policy headers to reduce the risk of XSS and unauthorized third-party scripts.

Gateway — request gateway

The entry layer that coordinates blocking: it applies IP bans, limits and IR playbook decisions to each request.

Timeline — change timeline

Records the mtime of your PHP/JS files and alerts on recent mutations. The first thing you check in an incident: what changed and when.

Time Travel — time machine

Snapshots files and database every 4 hours and lets you roll back up to 30 days. Your "undo" button for a disaster.

Auto-Clean — automatic cleanup

Downloads a clean copy of WordPress from WordPress.org and replaces modified core files, restoring them to factory state.

Backup — backups

Backups of your files and database stored on the server, ready to restore if something goes wrong.

SBOM — software inventory

Generates the Software Bill of Materials (a list of every component and version) in the standard CycloneDX 1.5 format required in many audits.

Supply Chain — CVEs in your plugins

Matches your plugins and themes against the NVD and Patchstack vulnerability databases to warn you of known CVEs before they get exploited.

Threat Intel — threat intelligence

A federated feed of indicators of compromise (hashes, domains, malicious urls) downloaded to cross-check against your site. Your data is never sent without consent.

GeoIP — geolocation

Resolves each IP country for blocking, Zero-Trust geo-velocity and playbook rules (e.g. alert if an admin logs in from another country).

Security Score — a 0–100 grade

A score that sums up your security posture from data Sentinel already has: open findings, blocks in the last 24h, playbook runs, time since the last scan and compliance. It keeps a 90-day daily history.

SIEM — export your events

Sends security events to your SIEM in its native format, no external libraries: Splunk HEC, Datadog, Elastic (ECS), Microsoft Sentinel, Sumo Logic or generic JSON/NDJSON.

Compliance — compliance reports

Generates reports with auto-filled evidence for GDPR, PCI-DSS, ISO 27001:2022 and NIS2. Handy for audits and for selling trust to your clients.

Webhooks — alerts where you work

Pings you on Slack, Discord, Teams or Telegram when something happens, with severity filters so you do not get noise.

What does each tier include?

Free: core engines (Patterns, AST, Entropy, Baseline), AntiSpam, 2FA and Timeline. Pro: adds Fuzzy Hash, Taint, JS-AST, YARA-Lite, SAST, Supply Chain, WAF, Upload Fortress, Decoy Admin, Vault, SBOM and webhooks. Agency: adds AI Anomaly, Zero-Trust, Bot Defense, Self-Pentest, Threat Intel and Auto-Clean. Enterprise: everything, with DB Shield, RASP, Time Travel, Auto-Clean and compliance reports.

Is the license per site?

Yes, each license is meant for one site. If you manage several, an Agency-type key covers multiple installs; or buy extra licenses from your panel.

Do I need a connection to validate the license?

No. Validation is offline (HMAC): the key carries the signature embedded, so Sentinel never needs to "phone home" to work.

Is there a REST API?

Yes, under /wp-json/dunes-sentinel/v1/ (requires manage_options + nonce). Endpoints for scans, findings, quarantine, audit, SBOM, timeline, supply-chain, threat-intel and license. It also exports SARIF 2.1 to plug into your CI.

Can I integrate it with my own code?

Yes. It exposes filters and actions: dunes_sentinel/scan_files, dunes_sentinel/finding_created, dunes_sentinel/scan_completed, dunes_sentinel/critical_event, plus wp-config constants like DUNES_SENTINEL_ENABLED.

The site breaks after activating — what do I do?

Over FTP rename the folder wp-content/plugins/dunes-sentinel/ to dunes-sentinel.disabled/: WordPress will boot without the plugin. Then reinstall a newer version or check the log.

Where are the logs?

The WP debug log at wp-content/debug.log (if WP_DEBUG_LOG is on), and Sentinel tamper-proof audit log in the Audit tab, with a verifiable chain.

Where are backups and snapshots stored?

Time Travel snapshots in wp-content/uploads/dunes-sentinel-snapshots/ and quarantine in wp-content/uploads/dunes-sentinel-quarantine/.

How do I fully uninstall it?

Plugins → Deactivate → Delete. The uninstall.php removes tables, options, cron events and directories. A clean wipe, no leftovers.