Sherlock is a security scanner and monitor to keep your Craft CMS site secure. An essential plugin for any site that stores sensitive or important data and that should be protected from cyber attacks.

Sherlock 3 has been released, read the announcement.

Read the article on Securing Your Craft Site in 2021/2022Part 1, Part 2, Part 3.

Sherlock scan result

Features #

Security Scans
Sherlock scans your site for security vulnerabilities such as incorrect file and folder permissions, cross-origin resource sharing, cross-site request forgery, HTTP response headers, etc. and tells you how to fix them.

Encrypted Connections
Sherlock ensures that your site is forcing encrypted connections both on the front-end and back-end so as to secure user data and credentials.

Critical Updates
Sherlock runs a series of tests to ensure that your site is correctly updated and will warn you about critical security updates to the CMS, plugins and the PHP version running on your server.

CMS Configuration
Sherlock checks all of the Craft CMS configuration settings on your site to ensure that they are properly configured and safe to use on a production site.

Header Protection & Content Security Policy
Protect your site by setting HTTP response headers that provide added security and enable a Content Security Policy on the front-end of your site.

Scheduled Scans
Easily schedule security scans to automatically run daily or weekly on your site with cron jobs.

Scan Details & History
View the full details of your site’s last scan, including failed tests and warnings. For each test you can view more details and relevant documentation. You can also view a security scan history of your site over time.

Scan history

Sherlock security scan results are determined by a set of criteria used by the plugin’s standard/​high security level setting. This is only a guideline and cannot ensure that your site and server are 100% secure. The security of every site is solely the responsibility of the site owner.

Plus Edition #

The Plus edition adds the following features.

With monitoring enabled, you receive instant email notifications if your site fails a security scan. A control panel alert in the CMS also notifies you of a failed security scan.

Restrict Control Panel Access
Restrict control panel access to specific IP addresses. This is important to be able to do if you ever suspect that an account has been compromised.

Restrict Front-end Access
Restrict front-end access to specific IP addresses. This is important to be able to do if you ever find your site under attack.

Allows you to run and access previously run scans through the API.

Pro Edition #

The Pro edition adds the following features.

Sherlock integrates with third-party error monitoring tools including Bugsnag, Rollbar and Sentry. It is also possible to add your own integrations using a module or plugin.

License #

This plugin requires a free or commercial license purchasable through the Craft Plugin Store. The license fee is for the Lite edition is $0. The license fee is for the Plus edition is $199 plus $99 per subsequent year for updates (optional). The license fee is for the Pro edition is $299 plus $149 per subsequent year for updates (optional).

Requirements #

This plugin requires Craft CMS 3.1.0 or later, or 4.0.0 or later, or 5.0.0 or later.

Usage #

Getting Started #

To install the plugin, search for Sherlock” in the Craft Plugin Store, or install manually using composer.

composer require putyourlightson/craft-sherlock

Once installed, visit the Sherlock page in the control panel to run your first security scan.

Scheduling Scans #

To run regular scheduled scans, create a cron job using the following command. Change php to your PHP path (if different) and /path/to/project to your Craft project path.

#- Runs a scan daily at 6am
0 6 * * * php /path/to/project/craft sherlock/scans/run 


If you have the Plus edition then you can run and fetch scans using the API. Use the following URLs, replacing the domain name and API_KEY using your own.

#- Runs a scan

#- Returns the last scan in JSON format

#- Returns all previously run scans in JSON format

Settings #

Monitor #

Whether to monitor scans. If enabled, control panel alerts will be shown to all users that have access to the Sherlock plugin and notification emails will be sent if the site scan status changes from pass to fail and if any critical updates are detected.

Notification Email Addresses #

Enter the email addresses (separated by commas) that should be notified of security issues when monitor is enabled.

High Security Level #

Whether Sherlock should be extra critical of security issues and the resulting warnings.

Header Protection #

Protects your site by setting HTTP response headers that provide added security.

Content Security Policy #

Enables a content security policy on the front-end of your site. Before enabling enforcing of the policy, be sure to thoroughly test your site with reporting enabled. Not doing so could result in aspects of your site being broken or not functioning as expected.

API Key #

A random 32 character string that will allow calls to the plugin API.

Restrict Control Panel Access To IP Addresses #

Restrict access to the control panel to one or more IP addresses (one IP address per line, logged in admins always have access). The * and ? wildcards are supported.

Restrict Front-End Access To IP Addresses #

Restrict access to the front-end to one or more IP addresses (one IP address per line, logged in admins always have access). The * and ? wildcards are supported.

Config Settings #

Sherlock comes with a config file for a multi-environment way to set the plugin settings, as well as more advanced plugin configuration settings. To use it, copy the config.php to your project’s main config directory as sherlock.php and uncomment any settings you wish to change. All of the available settings are listed and documented in the config file.

Have a suggestion to improve the docs? Create an issue with details, and we'll do our best to integrate your ideas.