Craft Sherlock 1


Sherlock requires Craft version 2.5.0 or above.


To use Sherlock, first install the plugin and then go to the plugin settings page. Update the settings according to your needs and go to Sherlock's control panel page to run your first security scan.


The suggested workflow is as follows:

  1. Install the plugin and run your first security scan
  2. Adjust your site and server so that your site passes the security scan with as few warnings as possible
  3. Set the correct notification email address(es) 
  4. Register for a free account and use the Craft Sherlock Web App to set up a scheduled scan for your site OR set up a cron job on your server to automatically run scheduled scans


Live Mode
Whether the site is live – if on then CP alerts will be shown to all users that have access to the Sherlock plugin and notification emails will be sent if the site scan status changes from pass to fail and if known vulnerabilities are detected in installed plugins
High Security Level
Whether Sherlock should be extra critical of security issues and the resulting warnings
Header Protection
Protects your site by setting HTTP response headers that provide added security
Log All Events
Whether to log events even when Dev Mode is disabled
Notification Email Addresses
Enter the email addresses (separated by commas) that should be notified of security issues
Plugin Vulnerabilities Feed URL
The URL of of a JSON feed URL containing known plugin vulnerabilities (must begin with "https://", view the feed format)
A random string that will allow calls to the plugin and must be set for calls to work
Restrict Control Panel Access To IP Addresses
Restrict access to the control panel to the following IP addresses (one IP address per line, logged in admins always have access)
Restrict Front-End Access To IP Addresses
Restrict access to the front-end to the following IP addresses (one IP address per line, logged in admins always have access)

Config Settings

To further configure Sherlock, create a new file called sherlock.php in the craft/config/ folder. You can then disable or change the configuration values of individual tests. See the Sherlock config.php file for available tests and default options.


​return array(
    'disabledTests' => array('phpVersion'),
    'cors' => array(
        'forceFail' => false

Plugin Vulnerabilities Feed

The plugin vulnerabilities feed URL allows you to override the JSON feed URL. The feed format as well as the default feed are available at Github. The default feed will be kept updated as known plugin vulnerabilities are reported, however no responsibility is taken for how up-to-date it is. 

Cron Jobs

You can create a cron job to run scans on a regular basis. The method you use depends on your server environment and the URL is available on the plugin settings page.