Sherlock requires Craft version 2.5.0 or above.
To use Sherlock, first install the plugin and then go to the plugin settings page. Update the settings according to your needs and go to Sherlock's control panel page to run your first security scan.
- Live Mode
- Whether the site is live – if on then CP alerts will be shown to all users that have access to the Sherlock plugin and notification emails will be sent if the site scan status changes from pass to fail and if known vulnerabilities are detected in installed plugins
- High Security Level
- Whether Sherlock should be extra critical of security issues and the resulting warnings
- Header Protection
- Protects your site by setting HTTP response headers that provide added security
- Log All Events
- Whether to log events even when Dev Mode is disabled
- Notification Email Addresses
- Enter the email addresses (separated by commas) that should be notified of security issues
- Plugin Vulnerabilities Feed URL
- The URL of of a JSON feed URL containing known plugin vulnerabilities (must begin with "https://", view the feed format)
- API Key
- A random string that will allow calls to the plugin and must be set for calls to work
- Restrict Control Panel Access To IP Addresses
- Restrict access to the control panel to the following IP addresses (one IP address per line, logged in admins always have access)
- Restrict Front-End Access To IP Addresses
- Restrict access to the front-end to the following IP addresses (one IP address per line, logged in admins always have access)
Plugin Vulnerabilities Feed
The plugin vulnerabilities feed URL allows you to override the JSON feed URL. The feed format as well as the default feed are available at Github. The default feed will be kept updated as known plugin vulnerabilities are reported, however no responsibility is taken for how up-to-date it is.
You can create a cron job to run scans on a regular basis. The method you use depends on your server environment and the URL is available on the plugin settings page.