Proactive Website Security with Custom Honeypots — A NOC Feature

Honeypotting is an art: you deploy decoy targets inside a controlled environment to observe attacker behavior and improve defenses. Real users should never hit these endpoints — they lie dormant until a scanner stumbles across them. With NOC, you can now create virtual web honeypots as part of your everyday protection strategy, identifying scanners quickly and applying defensive controls automatically.

Creating a Web Honeypot

Most web attacks are automated. Scanners probe both existing and non-existing URLs — e.g., CMS-specific paths like /administrator (Joomla!), /wp-admin and /xmlrpc.php (WordPress), /cgi-bin/, legacy file probes (e.g., TimThumb), and more. Positive responses help attackers fingerprint your stack and choose next steps.

That behavior creates an opportunity: define URLs that no legitimate user should ever visit and treat any hit as hostile. That’s the core idea behind NOC’s honeypot rules.

Creating Honeypots with NOC

Use NOC Custom Rules (available via API) to turn forbidden URL patterns into a honeypot that auto-blocks scanning IPs. For example, if your site is not WordPress, you can flag common WordPress paths:

$ curl -D - "https://my.noc.org/api?apikey=YOURAPIKEY&action=cdn/customrules/add&website=YOURSITE&rule_type=honeypot&url=/administrator /xmlrpc /wp-login&value=3600"

This rule blocks any IP that requests one of those paths for 1 hour via the WAF, cutting off further reconnaissance and reducing the risk that a weakness is discovered during scanning.

Going Stealth Mode

By default, blocks return a 403. For honeypots, stealth can be more effective — make the response look like a normal 404 or even a transient 503 so attackers don’t realize they’ve been caught. Add the block_response parameter:

$ curl -D - "https://my.noc.org/api?apikey=YOURAPIKEY&action=cdn/customrules/add&website=YOURSITE&rule_type=honeypot&url=/administrator /xmlrpc /wp-login&value=3600&block_response=stealthy_404"

A stealthy_404 convinces the scanner the page doesn’t exist, while your WAF silently blocks subsequent requests from that IP.

Why Honeypots Work

Honeypots turn attacker curiosity into a reliable signal: only automated scanners and bad actors should ever trip them. They’re lightweight, low-risk, and give you a proactive control to shut down recon attempts before they escalate — all without impacting real users.

Tip: Centralize Your Telemetry

Forward WAF and DNS logs to a hosted SIEM like Trunc for real-time visibility and alerting. Together with honeypots, this gives you both detection and immediate response.