vinksyunit / not-today-honey
A Laravel honeypot package to simulate attractive web pages (like WordPress wp-admin) to detect attackers
Maintainers
Fund package maintenance!
Requires
- php: ^8.4|^8.5
- illuminate/contracts: ^12.0|^13.0
- spatie/laravel-package-tools: ^1.16
Requires (Dev)
- larastan/larastan: ^3.0
- laravel/pint: ^1.14
- nunomaduro/collision: ^8.8
- orchestra/testbench: ^11.1
- pestphp/pest: ^4.2
- pestphp/pest-plugin-arch: ^4.0
- pestphp/pest-plugin-laravel: ^4.0
- phpstan/extension-installer: ^1.4
- phpstan/phpstan-deprecation-rules: ^2.0
- phpstan/phpstan-phpunit: ^2.0
- rector/rector: ^2.3
- dev-main
- v0.1.2
- v0.1.1
- v0.1.0
- dev-docs/fix-documentation-accuracy
- dev-feat/whitelist-events-istest
- dev-chores/boost-guidelines
- dev-dependabot/github_actions/dependabot/fetch-metadata-3.0.0
- dev-dependabot/github_actions/ramsey/composer-install-4
- dev-dependabot/github_actions/actions/setup-node-6
- dev-dependabot/github_actions/actions/checkout-6
- dev-dependabot/composer/orchestra/testbench-tw-11.1
- dev-dependabot/composer/orchestra/testbench-tw-11.0
- dev-feat/documentation
- dev-claude/review-feature-status-3EJ5o
- dev-claude/translate-comments-ai-docs-IzSQb
- dev-claude/detection-model-alerts-QCrCk
- dev-claude/add-trap-behavior-enum-B9onk
- dev-claude/init-nottodayhoney-project-5jDjW
This package is auto-updated.
Last update: 2026-04-16 17:47:15 UTC
README
A Laravel honeypot package that simulates realistic admin pages (WordPress, phpMyAdmin) to detect and block attackers.
Detect threats, automatically
- 3-level alert system — Probing → Intrusion Attempt → Attacking, each with configurable thresholds, block durations, and log levels
- Leaked credential detection — truncated SHA256 comparison against known password lists; immediate escalation to Attacking on match
Protect your real features
- Automatic IP blocking — detected attackers are blocked for configurable durations (minutes for probing, days for intrusion, weeks for attacking)
nottodayhoney.blockmiddleware — deny blocked IPs globally or per route group with a single line
Honeypot traps that fool scanners
- Realistic decoys — fake WordPress wp-login, phpMyAdmin, and generic admin pages with HTTP fingerprinting to attract CVE scanners and credential-stuffing bots
- Event-driven alerts — Laravel events at each alert level; wire up Slack, mail, or any channel via listeners
Requirements
- PHP 8.4+
- Laravel 12+
Installation
composer require vinksyunit/not-today-honey php artisan vendor:publish --tag="not-today-honey-config" php artisan vendor:publish --tag="not-today-honey-migrations" php artisan migrate
Sponsors
Special Sponsors
Blue team best practices
NotTodayHoney detects and signals — it is one layer of a defense-in-depth strategy. A honeypot without complementary layers is a smoke detector with no sprinklers.
- Understand your attack surface — the OWASP Top 10 covers the most common application-layer risks; the ASVS gives you a structured checklist
- Review code for security — authentication, authorisation boundaries, and input handling deserve attention on every change, not just security-focused sprints
- Run penetration tests — a pentest finds what automated scanners miss: logic flaws, misconfigurations, privilege escalation paths
- Monitor and respond — route
AttackerAttackingEventto an alerting pipeline; define a runbook for what your team does when an attacker is detected - Keep dependencies clean — attackers scan for known CVEs before trying credentials; run
composer auditregularly
→ Blue Team Practices in the documentation for further reading and OWASP references.
License
The MIT License (MIT). Please see License File for more information.