What is HerdSecurity?

HerdSecurity is a remote website file integrity monitoring service (SaaS). It uses lightweight agent scripts installed on your web server to detect any unauthorised changes to your files, additions, modifications, or deletions, and alerts you immediately via email. It can also automatically revert unauthorised changes using the File Lock feature.

How does HerdSecurity detect file changes?

HerdSecurity agents compute SHA-256 and MD5 hashes of every file in your web root on a scheduled interval. The results are encrypted with your unique RSA-2048 public key before transmission, so no plaintext file data ever leaves your server. The HerdSecurity dashboard decrypts the results with your private key, compares them against the stored baseline, and identifies any additions, modifications, or deletions.

What is the File Lock feature?

File Lock is an optional automatic revert feature. When enabled, any file modified or added without authorisation is automatically restored to its last-known-good baseline content (for files up to 1 MB) or re-deleted. There are two modes: Hard Lock, which reverts any change unconditionally, and Framework-Aware Lock, which permits legitimate CMS updates (e.g. WordPress core, plugin, or theme upgrades) while reverting everything else.

Which server types does HerdSecurity support?

HerdSecurity supports four agent tiers: (1) PHP Seal, a single PHP file for shared hosting, supporting instant push or cron polling modes; (2) Docker Container, mount your web volume to the official HerdSecurity Docker image; (3) SSH Daemon, a one-line bash install that creates a systemd Node.js service, ideal for VPS and dedicated servers; (4) WordPress Plugin, install from WP Admin, uses wp_cron and hooks into the upgrade process for framework-aware file lock.

Is HerdSecurity free?

Yes. The Individual plan is free forever and includes 1 seal, PHP Seal agent, daily scans, email alerts, and the inline diff viewer. No credit card is required. Paid plans start at £19/month for up to 10 seals, hourly scans, all agent types, and the File Lock feature.

How is scan data secured?

Every agent generates scan results encrypted with RSA-2048-OAEP using a per-seal public key stored on the server. Private keys are stored in the HerdSecurity database encrypted with AES-256-GCM. PHP Seal web-push mode uses HMAC-SHA256 request signing with a 30-second replay window. Authentication uses JWT tokens stored in httpOnly cookies with server-side session revocation.

What file change types does HerdSecurity detect?

HerdSecurity detects three types of file changes: (1) Modified, an existing file whose content has changed; (2) Added, a new file that was not in the baseline, such as injected malware or a backdoor script; (3) Deleted, a file that has been removed. Each change is shown in the dashboard with a before/after diff view and full file path.

Live file monitoring for web servers

Know the instant your
files are tampered with

HerdSecurity monitors every file on your web server using encrypted lightweight agents. Detect malware injection, backdoors, and ransomware, and optionally restore files automatically before damage is done.

RSA-2048 + AES-256-GCM, zero plaintext ever leaves your server
PHP, Docker, SSH daemon, and WordPress plugin agents
File Lock auto-revert, hard mode and framework-aware mode
Works on shared hosting, VPS, Docker, and WordPress

Create free account See how it works

No credit card required · Free forever on Individual plan · Open to all hosting environments

herdsecurity.co.uk/dashboard

Dashboard

File Changes

All Files

Alerts

Seals

Recent Changes 3 new

wp-includes/ms-load.php

Modified • 2 min ago

MOD

uploads/2024/03/shell.php

Added • 2 min ago

ADD

public_html/index.php

Unchanged • 1 hr ago

File Lock: restored ms-load.php

Auto-reverted • 2 min ago

LOCK

1,247

files tracked

changes

●

agent live

Agent tiers supported

RSA-2048

Encryption standard

5 min

Fastest scan interval

Free

Individual plan, forever

Everything you need to stay secure

All features are built on provably secure cryptography and operate without storing any of your file content in plaintext.

File Integrity Monitoring

Every file in your web root is hashed with SHA-256 and MD5 on every scan. Additions, modifications, and deletions are detected and classified. Supports path-based and pattern-based ignore rules to filter noise.

SHA-256 MD5 Ignore paths

End-to-End Encryption

Agents encrypt all scan results with your per-seal RSA-2048-OAEP public key. Private keys are stored in the database encrypted with AES-256-GCM. PHP Seal web requests are authenticated with HMAC-SHA256 and a 30-second replay window.

RSA-2048-OAEP AES-256-GCM HMAC-SHA256

File Lock, Automatic Revert

Enable File Lock to automatically revert any unauthorised change. Hard mode deletes new files and restores modified ones unconditionally. Framework-aware mode permits known CMS updates (e.g. WordPress upgrades) while blocking everything else.

Hard Lock Framework-aware WordPress-safe

Instant Email Alerts

Email alerts fire as soon as a change scan completes. Configure multiple alert contacts, set per-contact toggles for modified/added/deleted event types, and define maintenance mute windows to suppress false positives during planned deployments.

Multi-contact Mute windows Per-type toggles

Inline Diff Viewer

Every file change opens a side-by-side diff view with syntax highlighting (via highlight.js), so you can see exactly which lines were added, removed, or altered. Review PHP, JavaScript, HTML, CSS and more without leaving your browser.

Side-by-side Syntax highlight Line numbers

Agent Heartbeat Monitoring

HerdSecurity tracks the last time each agent checked in. If an agent goes silent, due to a server crash, network issue, or compromise, the dashboard alerts you within minutes, before an attacker can exploit the window.

Liveness checks Email on silence

Force Scan & Command Queue

Trigger an immediate scan from the dashboard at any time. PHP Seal supports instant direct push (no waiting for cron). Docker, SSH daemon, and WordPress plugin agents pick up commands via a secure poll queue, no inbound ports required.

Instant push Poll queue No open ports

File & Path Mute Manager

Silence alerts for individual files, directories, or glob patterns that change legitimately, such as session files, log rotations, or cache directories. Mute at the file level or set timed maintenance mute windows for your whole seal.

Per-file mute Glob patterns Timed windows

Scan History & Audit Log

Full scan history for every seal. Browse every past scan with file counts, change counts, and timestamps. Email notification log tracks every alert sent, useful for compliance reviews and incident investigation.

Scan history Email log Compliance-ready

Inline Diff Viewer

See exactly what changed, line by line

When a file change is detected, click to open the full diff viewer. Side-by-side panels show the before (baseline) and after (current) state of the file, with every changed line highlighted in red or green. Syntax highlighting works for PHP, JavaScript, HTML, CSS, JSON, and more.

Side-by-side or unified view
Highlight.js syntax colouring
Line-level additions and removals
Full file path and scan timestamp

wp-includes/ms-load.php Modified

Before (baseline)

1<?php

2// WordPress load functions

3function ms_load_current_site() {'{'}

4 global $wpdb;

5{'}'}

After (current)

1<?php

2// WordPress load functions

3eval(base64_decode($x));/*

4 global $wpdb;

5{'}'}

− 1 line removed + 1 line added Detected 2 min ago

Up and running in minutes

No infrastructure changes, no open inbound ports, no root access required on most setups.

Step 1

Install Agent

Upload a single PHP file, run our one-line bash install, deploy our Docker image, or install the WordPress plugin. Pick the tier that suits your hosting environment, shared host, VPS, or containerised.

Step 2

Connect Seal

Register your agent in the dashboard with a one-time install token. A unique RSA-2048 key pair is generated automatically for that seal, no manual key management required.

Step 3

Monitor Files

Your agent scans on your chosen schedule and posts RSA-encrypted results to HerdSecurity. Browse your file inventory, change history, and diffs directly from the dashboard.

Step 4

Auto-Lock (optional)

Enable File Lock to automatically revert any unauthorised change before it can cause damage, even while you sleep or are on holiday. Hard or framework-aware mode, your choice.

Four agent tiers, one for every environment

All agents use outbound-only connections (or direct push from your server). No inbound firewall rules or port forwarding needed.

Tier 1

PHP Seal

A single self-contained PHP file dropped in your web root. Dual-mode: instant web push (the dashboard calls your PHP file directly) or cron poll mode (PHP calls out on a schedule). Works on any shared hosting with PHP 7.4+.

Shared hosting compatible

Instant push or cron poll

File Lock supported

Tier 2

Docker Container

Mount your web root volume to the official herdsecurity/agent Docker image. Perfect for containerised deployments on Plesk, cPanel with Docker, or any bare-metal stack. Polls HerdSecurity via outbound HTTPS.

docker-compose ready

Outbound poll only

File Lock supported

Tier 3

SSH Daemon

Run one command over SSH: curl -s https://herdsecurity.co.uk/install.sh | bash. Creates a hardened Node.js systemd service that runs as a minimal-privilege user. Ideal for VPS and dedicated servers.

One-line install

systemd auto-start

File Lock supported

Tier 4

WordPress Plugin

Install directly from WP Admin. Uses wp_cron for scheduled scans and hooks into upgrader_process_complete to notify HerdSecurity of legitimate WordPress core, plugin, and theme upgrades, so File Lock doesn't revert them.

WP Admin upload

Upgrade-aware File Lock

wp_cron scheduling

Security architecture built without compromise

Every design decision in HerdSecurity prioritises the integrity of your data, and ours.

Data transmission security

RSA-2048-OAEP All scan results encrypted by the agent using your seal's public key. Only the HerdSecurity dashboard, which holds the private key, can decrypt them.
HMAC-SHA256 PHP Seal web-push requests are signed with a shared secret. A 30-second replay window prevents replay attacks.
One-time token Install tokens are nulled after the agent registers its first connection, they cannot be reused.

At-rest storage security

AES-256-GCM RSA private keys are stored in the database encrypted. An attacker who gained read access to the database would not be able to decrypt scan results without the encryption master secret.
bcrypt User passwords are stored using bcrypt with a cost factor of 12. Plaintext passwords are never stored or logged.
JWT revocation Session tokens are tracked server-side. Logging out or changing your password immediately invalidates all active sessions, including on other devices.

Simple, transparent pricing

Start free. Upgrade when you need more power. All plans include the full dashboard and all security features.

Individual

Free

No credit card required · free forever

1 seal (monitored site)
PHP Seal agent (Tier 1)
Daily scans (24-hour interval)
Email alerts
Inline diff viewer
RSA-2048 encrypted scans

Get started free

Frequently asked questions

Everything you need to know about how HerdSecurity works.

File integrity monitoring (FIM) means continuously checking that the files on your web server have not been altered without your knowledge. HerdSecurity's agents compute cryptographic hashes (SHA-256 and MD5) of every file at each scan, and compare them to a stored baseline. Any difference, whether a modification, a new file, or a deleted file, is flagged immediately.

No. Agents run as a background process outside your web request stack. The PHP Seal in cron mode runs independently of your web server. The SSH daemon and Docker container run as separate system services. No PHP or Node.js code is injected into your site's response path.

HerdSecurity receives file hashes (SHA-256 and MD5) for all files. For files modified or added, agents also send the file content for baseline storage and diff viewing, but only after encrypting it with your per-seal RSA-2048 public key. The HerdSecurity database stores private keys encrypted with AES-256-GCM; no file content is ever stored in plaintext.

A seal is a monitored site connection in HerdSecurity. Each seal has its own RSA key pair, agent configuration, file inventory, scan history, alert settings, and optional File Lock configuration. On the Individual plan you can have 1 seal; on the Company plan up to 10; on Corporate, unlimited.

Not if you use Framework-Aware mode. The WordPress plugin hooks into upgrader_process_complete to notify HerdSecurity of any WordPress core, plugin, or theme upgrade before it happens. HerdSecurity marks those file changes as expected, so File Lock allows them. Only unexpected changes (such as malware injection) are reverted.

You can create a maintenance mute window in the Alerts section of your seal dashboard. While a mute window is active, file changes are still detected and recorded, but email notifications are suppressed. You can also individually mute specific files or directory paths that change legitimately (such as log files or cache stores).

Yes, the PHP Seal (Tier 1) was specifically designed for shared hosting environments where you cannot install system services or run Docker. It is a single PHP file that requires only PHP 7.4+ and the openssl extension. No root access, SSH, or cron access is required in web-push mode.

Get in touch

Questions, enterprise quotes, WordPress agency pricing, or just want to say hello, we read every message.

Message sent!

We'll get back to you within one business day.

Know the instant your files are tampered with

Everything you need to stay secure

File Integrity Monitoring

End-to-End Encryption

File Lock, Automatic Revert

Instant Email Alerts

Inline Diff Viewer

Agent Heartbeat Monitoring

Force Scan & Command Queue

File & Path Mute Manager

Scan History & Audit Log

See exactly what changed, line by line

Up and running in minutes

Install Agent

Connect Seal

Monitor Files

Auto-Lock (optional)

Four agent tiers, one for every environment

PHP Seal

Docker Container

SSH Daemon

WordPress Plugin

Security architecture built without compromise

Data transmission security

At-rest storage security

Simple, transparent pricing

Frequently asked questions

Get in touch

Know the instant your
files are tampered with