DarshanPandya

VitePot: Honeypot for Vite

Published: April 21, 2026

3 min read

Categories: #OpenSource, #Web and #Security


VitePot: Honeypot for Vite

Recently, I noticed something in the server logs: automated scanners constantly probing for files that do not exist — /.env, /wp-config.php, /backup.sql, and dozens more.

These bots were not targeting my site specifically. They are just noisy crawlers blindly checking common paths across the internet, hoping to find misconfigured servers with exposed credentials.

I could ignore them. Or I could waste their time. That's how VitePot was born.

What is VitePot?

VitePot is a static-first honeypot plugin for VitePress and other Vite-powered sites. Instead of leaving common scanner paths completely empty, it adds realistic-looking bait files that waste bot time and attention.

It currently ships with 43 built-in traps across multiple categories.

If that is not enough, you can also add your own custom traps for paths you want to bait intentionally.

All generated content uses reserved .test domains and RFC 5737 test-net IPs, so nothing points at real infrastructure.

How does it work?

In development, traps are served from memory. During build, they are emitted as static files. The whole thing stays small and fits naturally into an existing Vite or VitePress setup.

Usage

  1. Add the dependency:

    bash
    bun add @itznotabug/vitepot

  2. Use it in your VitePress config:

    ts
    // .vitepress/config.mts
import { defineConfig } from 'vitepress';
import { vitepot } from '@itznotabug/vitepot';

export default defineConfig({
    vite: {
        plugins: [vitepot()],
    },
});

That is it. The default configuration enables the built-in trap set at the site root.

Want custom traps too?

You can add your own custom traps as well. See the full docs on GitHub.

Why build this?

  1. Wasting bot resources is fun.
    If scanners are going to poke around anyway, they might as well spend that effort parsing fake SQL dumps and bogus API keys instead of finding anything useful.

  2. Zero runtime cost.
    Since the traps are generated as static files, the site stays simple. No extra app layer, no separate honeypot service, and no need to bolt on something heavy just to add a bit of deception.

VitePot is available on -

Darshan Pandya

Copyright © 2017-Present