The first step in setting up Honeypot Toolkit is to go the settings page. This page is accessible under Honeypot Toolkit in your WordPress admin menu. After accessing the page you will see several options and tabs.
General Settings tab explained
- Use Project Honey Pot – Checking this option turns on Project Honey Pot and will check all visitor IP addresses against the Project Honey Pot HTTP:BL list to assess their threat score. You must enter your Project Honey Pot API key in order for it to work.
- Use Spamcop – Checking this option will check all visitor IP addresses against the Spamcop block list to assess their threat level. No further configuration is needed for Spamcop. It is a pass fail API check.
- Use Internet Storm Center – Use the SANS Internet Storm Center API to block users based on their IP being listed in the IP API matching the criteria you set on the Internet Storm Center tab. More info: https://isc.sans.edu/api/#ip
- Check Interval – This is the interval in days that all IP addresses blocked by Project Honey Pot and Spamcop will be checked to see if they are still on their respective block lists. This check will do a DNS query for every IP in your database that was blocked because of a response from Project Honey Pot or Spamcop. Be careful setting this to a low number if you have a large number of IP addresses on your block list.
- Automatically allow Bingbot – Automatically retrieve the published list of Bingbot addresses from the Bing Webmaster site and add them to the allowlist. NOTE: After selecting this option and saving it a cron job will be set to fire in five minutes to retrieve the list of addresses. Then a cron job will fire every month to repeat the retrieval.
- Automatically allow Googlebot – Automatically retrieve the published list of Googlebot addresses from the Google Developer site and add them to the allowlist. NOTE: After selecting this option and saving it a cron job will be set to fire in five minutes to retrieve the list of addresses. Then a cron job will fire every month to repeat the retrieval.
- Site Level Lists – This option is only available on a multisite install and it gives the network admin the ability to turn the IP lists on and off for individual sites. Allow admins to manage the IP lists on each site and not just the network admin. If this option is turned on admins on every site will be able to edit the whitelist and blocklist.
- Only Allow Whitelist – This will block access to your site for all visitors unless their IP is in your whitelist.
- Monitor Login – With this enabled login errors will be counted. If a visitor generates enough login errors to reach the limit they will be blocked for a period of time. The settings to control the limit, blocked time, and time span are located on the Login tab. Users on the whitelist are not monitored. This does not report the IP to Project Honey Pot or Spamcop.
- Hide Usernames – When this is enabled the URL for all author archives will be changed to have an md5 hash instead of the username. The username presented on an article will also be changed to obfuscate it. This prevents scanning of usernames by appending ?author=## to the end of your sites URL. If a visitor attempts to log into your site with the md5 hash they will automatically be blocked if you have the Monitor Login option selected.
- Monitor 404 – With this enabled 404 errors will be counted. If a visitor generates enough 404 errors to reach the limit they will be blocked for a period of time. The settings to control the limit, blocked time, and time span are located on the 404 tab. Users on the whitelist are not monitored.
- Response Code – The http response code that is returned when a user is blocked.
Project Honey Pot tab explained
Note: This tab will be different if you have a multisite install because only the settings that apply to the individual site you are on will be displayed unless you are viewing it through the network admin. This is a screenshot of the tab on a single site install. The same options are available on both. Just on different pages in a multisite install.
- Project Honey Pot API Key – This is the HTTP:BL API key you can request from Project Honey Pot. Before any of your visitors IP address will be checked you must enter this API key. Go to https://www.projecthoneypot.org/httpbl_configure.php to request an API key
- Max Days – Maximum number of days since the last time activity has been seen from this IP by Project Honey Pot.
- Threat Score – This score is assigned internally by Project Honey Pot based on a number of factors including the number of honey pots the IP has been seen visiting and the damage done during those visits.
- Honeypot Path – This is the exact location of the custom script downloaded from https://www.projecthoneypot.org and installed on your web server. This value will be used to generate a hidden link on each webpage of the site pointing to the script. Spam bots will follow these links and can be identified as spam bots. This can either be the full path or full URL to the script. Important: If this field is empty no honeypot link will be added and the plugin will not work. If the full URL of the script is not used then the path must start with a forward slash (/). TIP: The path is the same as the one needed for activating the script.
- Use Custom Honeypot – Checking this will add an action call to ht_custom_honeypot that you can use in your theme. Then you just need to add do_action(‘ht_custom_honeypot’) wherever you would like the honeypot link to be printed.
- Use Body Open Honeypot – Checking this will add an action call to the wp_body_open action hook. Most themes call this after the body open tag.
- Use Menu Honeypot – Checking this will add a filter call to the wp_nav_menu and wp_page_menu filter hooks. This will print your honeypot after your nav menus.
- Use Search Form Honeypot – Checking this will add a filter call to the get_search_form filter hook. This will print your honeypot after the search form either in your theme or in a widget that uses the get_search_form function.
- Use Footer Honeypot – Checking this will add an action call to the wp_footer action hook. This will print your honeypot where the wp_footer function is called in your theme.
- Use The Content Honeypot – Checking this will add a filter call to the the_content filter hook. This will print your honeypot after the post/page content in your theme.
Internet Storm Center tab explained
- Attack Threshold – The number of reports received by SANS before an IP is recognized as a threat and blocked from your site.
- Day Span – The number of days to look back in the API. If an attack has been reported in the last X number of days and the reported attack count is at or above the attack threshold an IP will be blocked.
- Block Days – The number of days that an IP will be blocked if it is blocked using the SANS Internet Storm Center API.
Login tab explained
- Login Limit – The number of failed logins before a user is blocked.
- Time Span – The number of seconds that failed logins will be tracked. If a user hits the limit of failed logins within this number of seconds they will be blocked.
- Block Time – The number of seconds that a user will be blocked if they reach the login limit.
- Show Failed Count – Setting this will show a visitor the number of times they have failed to log in and how many tries they have before being blocked.
- Banned Usernames – This is a list of usernames that will automatically get a visitor blocked. Adding the admin user to this list is recommended if you have set a different user for your admin account as many bots try that user first. Users on the whitelist are not blocked if they use one of these users. Each user must be on a different line. Example:
User1
User2
User3
404 tab explained
- 404 Limit – The number of 404 errors before a user is blocked.
- Time Span – The number of seconds that 404 errors will be tracked. If a user hits the limit of 404 errors within this number of seconds they will be blocked.
- Block Time – The number of seconds that a user will be blocked if they reach the 404 error limit.