Decoy Links
What Are Decoy Links?
Section titled “What Are Decoy Links?”A decoy link (also called a honeypot link) is a hidden URL that legitimate users will never access. When someone does access it, you know immediately that they’re scanning, crawling, or attacking your site.
How Decoy Links Work
Section titled “How Decoy Links Work”Your Website├── /index.html ← Visible to users├── /about.html ← Visible to users├── /contact.html ← Visible to users└── /admin-backup.zip ← DECOY (hidden, only bots find it) │ ▼ Bot accesses decoy │ ▼ Detection created │ ▼ Alert/Block actionWhy Attackers Trigger Decoys
Section titled “Why Attackers Trigger Decoys”- Automated scanners crawl every link they find
- Vulnerability tools probe common paths like
/admin,/backup - Scrapers follow all links, including hidden ones
- Reconnaissance maps your entire site structure
The Deception Advantage
Section titled “The Deception Advantage”| Traditional Security | Deception Security |
|---|---|
| Tries to block known attacks | Detects unknown attackers |
| Relies on signatures | Catches by behavior |
| High false positive rate | Zero false positives (only bots trigger decoys) |
| Attackers can evade | Attackers don’t know what’s a trap |
Creating Your First Decoy Link
Section titled “Creating Your First Decoy Link”Step-by-Step Guide
Section titled “Step-by-Step Guide”-
Navigate to Decoys
- Click Decoys in the sidebar
-
Click “New Decoy”
- The create decoy dialog opens
-
Configure the Decoy
Field Description Example Name Internal name for identification ”Admin Backup Trap” Domain Custom domain to use decoy.yoursite.comPath URL path for the decoy /admin/backup.zipTrigger Action What happens when accessed Log, Block, etc. -
Click “Create”
- Your decoy is created and active immediately
-
Deploy the Decoy
- Add a hidden link to your website pointing to the decoy URL
- See Deploying Decoy Links for deployment methods
Full Decoy URL
Section titled “Full Decoy URL”Your decoy URL is constructed as:
https://{domain}{path}Example:
- Domain:
decoy.yoursite.com - Path:
/admin/backup.zip - Full URL:
https://decoy.yoursite.com/admin/backup.zip
Trigger Actions
Section titled “Trigger Actions”When someone accesses a decoy, WebDecoy can respond in different ways.
Available Actions
Section titled “Available Actions”| Action | Behavior | Best For |
|---|---|---|
| Log | Record the access, return 200 OK | Monitoring, intelligence gathering |
| Block | Record and return 403 Forbidden | Active defense, deterrence |
| Poison | Return fake/misleading data | Wasting attacker time |
| Redirect | Redirect to another URL | Directing to legal notices |
Log Action
Section titled “Log Action”The default action. Records the detection and returns a normal-looking response.
Response:
- HTTP 200 OK
- Generic or customized content
Use when:
- You want to monitor without tipping off attackers
- Gathering intelligence on attack patterns
- Running decoys in observation mode
Block Action
Section titled “Block Action”Records the detection and returns an access denied response.
Response:
- HTTP 403 Forbidden
- Access denied message
Use when:
- You want to actively deter attackers
- Combined with integration blocking (Cloudflare, WAF)
- Sending a clear “you’re caught” message
Poison Action
Section titled “Poison Action”Returns fake data designed to waste attacker time or mislead them.
Response:
- HTTP 200 OK
- Fake credentials, dummy data, or misleading information
Examples:
- Fake database dumps with invalid data
- Honeypot credentials that trigger alerts
- Large files that waste bandwidth
Use when:
- You want to actively mislead attackers
- Wasting attacker resources
- Creating uncertainty about what’s real
Redirect Action
Section titled “Redirect Action”Redirects the request to another URL.
Response:
- HTTP 302 Redirect
- Redirects to configured URL
Use when:
- Directing to a legal warning page
- Sending to a law enforcement reporting portal
- Redirecting to a CAPTCHA challenge
Advanced Decoy Options
Section titled “Advanced Decoy Options”Click Limits
Section titled “Click Limits”Set a maximum number of times a decoy can be triggered:
| Setting | Behavior |
|---|---|
| No limit (default) | Decoy remains active indefinitely |
| Click limit: 100 | Decoy deactivates after 100 triggers |
Use when:
- Running time-limited campaigns
- Preventing excessive log data
- Testing specific scenarios
Expiration Date
Section titled “Expiration Date”Set when a decoy should automatically deactivate:
| Setting | Behavior |
|---|---|
| No expiration (default) | Decoy remains active indefinitely |
| Expires: 2025-06-01 | Decoy deactivates on that date |
Use when:
- Temporary honeypots for specific campaigns
- Compliance requirements
- Rotating decoy strategies
Description
Section titled “Description”Add internal notes about the decoy:
Description: "Placed in robots.txt disallow section to catch botsthat ignore robots.txt rules. Monitoring campaign started 2025-01."Use for:
- Documenting the decoy’s purpose
- Tracking which campaign it belongs to
- Notes for team members
Poison Content
Section titled “Poison Content”When using the “Poison” action, specify what fake data to return:
{ "users": [ {"email": "admin@fake.com", "password": "honeypot123"}, {"email": "root@fake.com", "password": "canary456"} ]}Tips:
- Make it look realistic
- Include obvious honeypot markers for tracking
- Don’t include real data
Deploying Decoy Links
Section titled “Deploying Decoy Links”Decoys only work if attackers can find them. Here are methods to deploy decoy links.
Method 1: Hidden HTML Links
Section titled “Method 1: Hidden HTML Links”Add an invisible link to your website:
<!-- Hidden decoy link - invisible to users, visible to bots --><a href="https://decoy.yoursite.com/admin/backup.zip" style="display:none; visibility:hidden; position:absolute; left:-9999px;"> Admin Backup</a>Where to place:
- Footer of every page
- Inside a hidden
<div> - In the
<head>section as a<link>tag
Method 2: robots.txt (Reverse Psychology)
Section titled “Method 2: robots.txt (Reverse Psychology)”Add decoys to robots.txt with “Disallow” - malicious bots often target these paths:
User-agent: *Disallow: /admin/Disallow: /backup/Disallow: /admin/backup.zip # This is actually a decoy!Why this works:
- Legitimate bots respect robots.txt
- Malicious bots specifically target disallowed paths
- Creates a perfect trap
Method 3: HTML Comments
Section titled “Method 3: HTML Comments”Embed decoy URLs in HTML comments:
<!-- TODO: Remove before production Backup location: https://decoy.yoursite.com/db_backup_2024.sql-->Why this works:
- Attackers often search source code for sensitive paths
- Comments look like developer mistakes
- Very convincing to automated scanners
Method 4: JavaScript Variables
Section titled “Method 4: JavaScript Variables”Hide decoy URLs in JavaScript:
// Configuration - do not modifyvar config = { apiEndpoint: "/api/v1", adminPath: "https://decoy.yoursite.com/admin/debug", // Decoy! backupUrl: "https://decoy.yoursite.com/backup.tar.gz" // Decoy!};Method 5: Sitemap Honeypot
Section titled “Method 5: Sitemap Honeypot”Create a fake sitemap with decoy URLs:
<?xml version="1.0" encoding="UTF-8"?><urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"> <url> <loc>https://decoy.yoursite.com/admin/config.php</loc> </url> <url> <loc>https://decoy.yoursite.com/backup/database.sql</loc> </url></urlset>Recommended Decoy Paths
Section titled “Recommended Decoy Paths”These paths are commonly targeted by attackers:
| Category | Example Paths |
|---|---|
| Admin | /admin, /administrator, /wp-admin, /admin.php |
| Backup | /backup.zip, /backup.sql, /db_backup.tar.gz |
| Config | /config.php, /settings.json, /.env, /wp-config.php |
| Debug | /debug, /phpinfo.php, /test.php, /info.php |
| API | /api/admin, /api/debug, /graphql/admin |
| Files | /passwords.txt, /users.csv, /credentials.json |
Viewing and Managing Decoys
Section titled “Viewing and Managing Decoys”Decoys List Page
Section titled “Decoys List Page”Navigate to Decoys to see all your decoy links:
| Column | Description |
|---|---|
| Name | Your internal name for the decoy |
| Status | Active or Inactive |
| Action | Log, Block, Poison, or Redirect |
| Clicks | Number of times triggered |
| Created | Creation date |
| Actions | Menu with edit, delete, copy URL |
Filtering and Sorting
Section titled “Filtering and Sorting”Filter by Status:
- All
- Active only
- Inactive only
Sort by:
- Creation date (newest/oldest)
- Click count (most/least)
- Name (A-Z, Z-A)
Searching Decoys
Section titled “Searching Decoys”Use the search box to find decoys by:
- Name
- Short code
- Path
Copying Decoy URL
Section titled “Copying Decoy URL”- Find the decoy in the list
- Click the menu (three dots)
- Select Copy URL
- The full URL is copied to your clipboard
Toggling Decoy Status
Section titled “Toggling Decoy Status”To activate or deactivate a decoy:
- Find the decoy in the list
- Click the toggle switch in the Status column
- The decoy is immediately activated/deactivated
Editing a Decoy
Section titled “Editing a Decoy”- Click the menu (three dots)
- Select Edit
- Modify the decoy settings
- Click Save
Deleting a Decoy
Section titled “Deleting a Decoy”- Click the menu (three dots)
- Select Delete
- Confirm the deletion
- The decoy is permanently removed
Note: Detections from deleted decoys are preserved for historical records.
Decoy Best Practices
Section titled “Decoy Best Practices”- ✅ Use realistic-looking paths
- ✅ Deploy multiple decoys across your site
- ✅ Include decoys in robots.txt (as disallowed)
- ✅ Rotate decoys periodically
- ✅ Monitor detection patterns
Don’ts
Section titled “Don’ts”- ❌ Use obviously fake names like “honeypot.html”
- ❌ Place decoys where legitimate users might click
- ❌ Forget to deploy the link on your actual site
- ❌ Use the same decoy across all properties
- ❌ Ignore the detection data
Next Steps
Section titled “Next Steps”Learn about more advanced honeypots:
- Endpoints (API Honeypots) - Create fake API endpoints for detecting attacks