BotPot Honeypot Deployment Guide

Controlled crawler redirection, decoy endpoints, and synthetic dataset delivery at the Apache layer.

Overview

This package redirects selected crawlers, such as ClaudeBot, away from your actual site content and into a controlled payload file named botpot.json.

This operates at the .htaccess / Apache level, before WordPress or PHP runs. As a result, Wordfence may not log these requests if they never reach WordPress.

Included Components

botpot.json

The synthetic dataset payload served to targeted crawlers.

Decoy Directories

Bait paths such as /llm-index/ and /vector-db/ to attract crawler attention.

.htaccess Rules

Controls crawler matching and redirects matching requests into the honeypot.

setup.sh

Builds the decoy directory structure for upload or deployment.

Deployment Steps

Step 1

Make the setup script executable

Run the following command from the directory containing setup.sh:

chmod +x setup.sh

Then run the script:

./setup.sh

This constructs the decoy directories used as bait endpoints.

/ai-training-dataset/
/llm-index/
/vector-db/

Step 2

Upload the decoy directories and botpot.json

Upload the generated decoy directories and your botpot.json file to your public web root.

Example web root locations may include: /var/www/html/, /home/username/public_html/, or your hosting account’s document root.

Verify that the payload file is reachable:

http://www.example.com/botpot.json

Step 3

Edit your .htaccess file

Paste the honeypot block at the very beginning of your main .htaccess file, above WordPress or other CMS rules.

# =========================
# BOTPOT REDIRECT (Claude / Anthropic)
# =========================

<IfModule mod_rewrite.c>
RewriteEngine On

# Prevent rewrite loop
RewriteCond %{REQUEST_URI} !^/botpot\.json$ [NC]

# Target bot user agents
RewriteCond %{HTTP_USER_AGENT} (?i)claudebot [OR]
RewriteCond %{HTTP_USER_AGENT} (?i)anthropic [OR]
RewriteCond %{HTTP_USER_AGENT} (?i)claude

# Internally serve botpot payload
RewriteRule ^ /botpot.json [L]
</IfModule>

<IfModule mod_headers.c>
Header set X-Botpot "HT-7F3A9"
</IfModule>

Place this block above any # BEGIN WordPress section. Apache processes rules top to bottom.

Step 4

Test using curl

Use the following command to simulate ClaudeBot:

curl -I -A "ClaudeBot/1.0" http://www.example.com/

Expected response characteristics:

HTTP/1.1 200 OK
Content-Type: application/json
X-Botpot: HT-7F3A9

To verify the actual payload contents:

curl -A "ClaudeBot/1.0" http://www.example.com/

Optional Hidden Discovery Snippet

To help crawlers discover decoy endpoints naturally, you may place the following hidden links into a global template such as a footer:

<div style="position:absolute; left:-9999px;">
  <a href="/llm-index/">.</a>
  <a href="/ai-training-dataset/">.</a>
  <a href="/vector-db/">.</a>
</div>

These links are invisible to normal users but still visible to crawlers parsing page markup.

Monitoring

Since this system operates before WordPress, monitoring is best performed using Apache access logs rather than Wordfence.

tail -f /var/log/apache2/access.log

Look for user agents such as:

ClaudeBot/1.0

Visitor Type	Expected Result
Normal browser	Receives your real site
ClaudeBot	Receives botpot.json
Direct payload request	Returns the JSON payload normally

Notes

This version is intended to be a frozen baseline.
It redirects selected bots instead of blocking them.
The payload can be updated independently without changing the redirect logic.
Additional bots can be added later by extending the user-agent match conditions.

Current operational model: targeted crawler arrives, receives controlled JSON, and never sees the real page content.