Honeypot Technology

Decoy Links

Hidden URLs that legitimate users will never access. When triggered, you know with certainty it's scanning, crawling, or attack activity.

Start Detecting Bots Opens in a new tab View Documentation
Decoy Link Detection



// Bot triggers the decoy
// WebDecoy captures:
{
  "decoy": "admin-trap",
  "action": "block",
  "visitor_ip": "185.x.x.x",
  "user_agent": "Python-urllib/3.9",
  "threat_score": 85
}

How Decoy Links Work

Malicious bots discover concealed links through crawling, automated scanning, or reconnaissance. Upon access, WebDecoy detects the intrusion and executes your configured response.

1

Create Decoy

Set a name, choose your custom domain, define the URL path, and select a trigger action.

2

Deploy Hidden Links

Add invisible links to your site using HTML, robots.txt, comments, or JavaScript variables.

3

Capture & Respond

When bots click, WebDecoy logs the detection and executes your chosen action automatically.

Trigger Actions

Choose how WebDecoy responds when a bot triggers your decoy link.

Log

HTTP 200 OK

Monitor without alerting attackers

Block

HTTP 403 Forbidden

Active deterrence

Poison

HTTP 200 + fake data

Waste attacker resources

Redirect

HTTP 302 redirect

Route to legal notices or challenges

Deployment

Where to Place Decoy Links

Multiple deployment methods ensure bots find your decoys through various discovery techniques.

Hidden HTML Links

Invisible <a> tags with display:none styling

robots.txt

Disallowed paths that attract malicious bots

HTML Comments

URLs embedded in source code comments

JavaScript Variables

Decoys hidden in configuration objects

Sitemap Honeypots

Fake XML sitemaps containing decoy URLs

Deployment Examples




User-agent: *
Disallow: /secret-admin/
Disallow: /backup/

Decoy Link Features

Invisible to Users

Hidden URLs that legitimate users will never access. Only bots crawling your HTML or scanning for vulnerabilities will find them.

Zero False Positives

When a decoy is triggered, you know with certainty it was scanning, crawling, or attack activity - not a real user.

Custom Domains

Deploy decoys on your own domain with automatic SSL via Let's Encrypt. Bots can't distinguish decoys from real content.

Configurable Actions

Choose how to respond: Log silently, Block with 403, Poison with fake data, or Redirect to another URL.

Advanced Options

Set click limits, expiration dates, and custom poison content. Full control over each decoy's behavior.

Detection Dashboard

View click counts, filter by status, sort by criteria, and manage all your decoys from one interface.

Why Choose Honeypot Links Over Other Bot Detection

Decoy links offer unique advantages that other bot detection methods cannot match.

100% Accuracy

Unlike behavioral analysis or fingerprinting that can produce false positives, honeypot links are definitive. A real user will never access a hidden link, so every trigger is a confirmed bot.

Zero User Friction

No CAPTCHAs, no challenges, no interruptions. Legitimate visitors never know the honeypots exist. Your conversion rates stay high while bots get caught silently.

Works Against AI Bots

Even sophisticated AI scrapers like GPTBot and browser automation tools must parse your HTML. Hidden links catch them regardless of how human-like their behavior appears.

Learn More About Honeypot Detection

Dive deeper into bot detection strategies and best practices.

Honeypot vs CAPTCHA: Complete Guide

Compare effectiveness, implementation, and user experience of honeypots versus CAPTCHAs.

Detect AI Scrapers: GPTBot, ClaudeBot

Stop AI crawlers from scraping your content with honeypot traps and behavioral analysis.

AI Bot Detection Methods Guide

Master AI-powered bot detection with ML, behavioral analysis, and honeypot techniques.

See also: Endpoint Decoys for API honeypot protection, Bot Scanner for client-side detection, and Threat Scoring for automated responses.

Frequently Asked Questions

Common questions about honeypot links and bot trap technology.

What is a honeypot link and how does it detect bots?

A honeypot link is an invisible URL hidden in your website that legitimate users cannot see or access. Bots that crawl your HTML, scan for vulnerabilities, or follow every link automatically trigger these traps. When a honeypot link is accessed, WebDecoy knows with 100% certainty that the visitor is a bot, enabling zero false positive detection.

Will honeypot links affect my SEO or legitimate search engine crawlers?

No. WebDecoy automatically whitelists verified search engine crawlers like Googlebot and Bingbot using cryptographic verification. Your legitimate SEO traffic is never affected. Additionally, you can configure your decoy links to only target malicious bots while allowing good crawlers to pass through.

How do I deploy hidden links on my website?

You can deploy honeypot links in multiple ways: hidden HTML anchor tags with display:none styling, entries in your robots.txt file, URLs in HTML comments, JavaScript variables, or fake sitemap entries. WebDecoy provides code snippets for each method that you can copy directly into your site.

What happens when a bot triggers a decoy link?

You configure the response action: Log silently to monitor without alerting attackers, Block with a 403 Forbidden response, Poison with fake data to waste attacker resources, or Redirect to a legal notice or challenge page. Each action is logged with full details including IP, user agent, and threat score.

How are honeypot links different from CAPTCHAs?

Unlike CAPTCHAs that interrupt every user and can be solved by AI services, honeypot links are completely invisible to legitimate visitors. They provide a frictionless experience with higher accuracy. Studies show honeypots have 95%+ effectiveness compared to 80% for CAPTCHAs, with near-zero false positives.

Ready to deploy honeypot links?

Start catching bots in minutes with invisible bot traps. Zero false positives guaranteed.

Get Started Free