Skip to main contentSkip to footer
reportedIP
Plugin Guides

Honeypot Decoy Paths: Banning Scanners on Their First Probe

Patrick Schlesinger
ReportedIP Hive plugin guide cover — WordPress honeypot decoy paths

A WordPress honeypot works because no real visitor ever requests /.env.backup or wp-config.old.php. ReportedIP Hive’s Decoy Path Block treats the first hit to any of 40 bait paths as the attack indicator — no counting window, no waiting.

This guide covers the bait list, why the sensor does not ban the IP locally, and how to push the block to the server level.

What is ReportedIP Hive?

ReportedIP Hive is a complete WordPress security plugin — 12 attack sensors, four 2FA methods, progressive blocking and opt-in community threat intelligence in one free, GPL-2.0 plugin. The Decoy Path Block is a free-tier sensor. See the full ReportedIP Hive feature set for everything else.

40 bait paths, one signal

Introduced in 2.0.9 and expanded from 16 to 40 entries in 2.0.14, the decoy list covers the files attackers probe for after a misconfigured deploy:

  • The full wp-config.php.* backup family — .bak, .old, .save, .orig, .swp, .txt and a trailing ~.
  • .env backups — .production.bak, .local.bak, .orig — and Joomla’s configuration.php.bak.
  • SQL dumps at the webroot — dump.sql, database.sql, backup.sql, db.sql.
  • Apache .htpasswd / .htaccess.bak, AWS credentials (.aws/credentials, .aws/config), SSH keys (.ssh/id_rsa, .ssh/authorized_keys) and private-key files (id_rsa, private.key, server.key).

Extend the list with the reportedip_hive_decoy_paths filter. The matcher also recognises a bait filename behind one subdirectory prefix, so /site-a/.env.backup on a Multisite subdir install is caught the same way.

Why it does not ban the IP locally

Since 2.0.11 the decoy sensor deliberately does not add the source IP to the local block table. A single false positive — a legitimate backup plugin, an admin testing on the live site, an old crawler probing a stale URL — would otherwise lock the site out of its own traffic for hours. Instead, each hit is logged at severity high, forwarded to the community-reputation queue (event decoy_pathblock_hit), and the visitor receives a 403 for that one request. The community layer is where the reputation cost lands, network-wide.

Move the block to the server for real bait files

If a real bait file sits on disk (an .env.backup left behind by Composer, for example), Apache or nginx could serve it before PHP runs. Hive auto-manages an .htaccess rewrite block (between # BEGIN ReportedIP Hive Decoy / # END markers) that routes those requests through index.php for detection instead of serving the file. nginx users get an equivalent snippet in the Settings tab, including an exact-match variant for ISPConfig and managed stacks where a template location ~ /. { deny all; } rule would otherwise win. The plugin never writes to your server config itself — it only generates the snippet to paste.

Related guides

Server-level hardening detail is in the honeypot server documentation. Browse the full ReportedIP Hive plugin guides or read the decoy code on GitHub.

Explore ReportedIP Hive →

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed