Attack Dashboard & Performance Summary
A high-interaction WordPress honeypot?Plain EnglishA fake website deliberately put online to attract hackers. Like a bait car left unlocked by police to catch car thieves. written in C, built to help me understand how real-world SIEMs?Plain EnglishSecurity Information and Event Management systems. Think of it as a security camera control room that collects alerts from every sensor in a building. like Microsoft Sentinel operate. WPTrap convincingly mimics a fully-featured WordPress 6.4.3 installation to attract, log, and analyze attacker behavior in detail.
You are viewing a read-only dashboard that displays historical attack data collected by WPTrap. The actual honeypot is a separate server at browndisappointment.net, which looks and behaves like a real WordPress site. Try scanning it, poking at /wp-login.php, or hitting the XML-RPC?Plain EnglishA backdoor-like feature in WordPress that lets other programs communicate with it remotely. Attackers often abuse it to guess passwords thousands of times. endpoint. Everything you do there gets logged, classified, and tagged with MITRE ATT&CK?Plain EnglishA public encyclopedia of known hacking methods maintained by a nonprofit. Security teams use it like a shared dictionary to describe attacks. tactics. (No DOS or DDOS please lol but everything else if fair game!)
What this project is, what the data represents, and how it was collected
Visual breakdown of captured attack data across the collection period
Dive into the raw logs with interactive filters, sorting, and pagination
Browse every HTTP request logged by the honeypot. Filter by attack class, MITRE tactic, severity, HTTP method, status code, source IP, and date range. Expand any row to see full request headers and POST bodies.
View every brute-force login attempt captured from wp-login.php and XML-RPC calls. See the exact usernames and passwords attackers tried, filter by source, severity, and date range.
Comprehensive detection and classification capabilities
Every event is tagged with MITRE ATT&CK?Plain EnglishA public encyclopedia of known hacking methods. Security teams worldwide use it like a shared dictionary to describe attacks. tactics, techniques, and technique IDs for standardized threat classification.
Pattern classifier covering SQLi, XSS, LFI, RCE?Plain EnglishDifferent hacking techniques. SQL injection tricks a database, XSS injects scripts into pages, LFI reads private files, and RCE runs commands on the server., credential hunting, and WordPress-specific exploits.
Captures brute-force?Plain EnglishTrying thousands of username/password combinations one after another, like trying every key on a giant keyring until one fits. attempts from wp-login.php and XML-RPC?Plain EnglishA remote control feature in WordPress that lets programs communicate with it. Attackers abuse it to guess passwords much faster. calls with full username/password logging.
Realistic wp-login.php, XML-RPC, REST API, and 40+ route handlers covering plugins, themes, and exploit paths.
Rate limiter?Plain EnglishA speed limit for web requests. Like a nightclub bouncer only letting a few people through the door per second. (50 req/s burst), anti-Slowloris?Plain EnglishAn attack that opens many connections and sends data extremely slowly, trying to exhaust the server like someone blocking a doorway., path traversal prevention, and privilege dropping.
All IP addresses?Plain EnglishA computer's unique online address, like a phone number. Knowing someone's IP can reveal their approximate location. replaced with consistent pseudonyms (src_001, src_002...) for safe analysis without exposure.
Live log ingestion into Microsoft Sentinel via the Azure Monitor Agent
An Azure Monitor Agent (AMA?Plain EnglishA small agent installed on a server that automatically collects logs and forwards them to Microsoft's cloud. Like a security guard who writes down everything and faxes it to headquarters.) is installed on the honeypot instance and continuously forwards CEF-formatted?Plain EnglishCommon Event Format. A standardized way to write security logs so every tool can read them the same way, like a universal form everyone fills out identically. events to a Microsoft Sentinel workspace. Sentinel retains the last 30 days of events, enabling KQL?Plain EnglishKusto Query Language. A search language for finding specific events in logs, like using advanced filters in a spreadsheet. queries, alerting rules, and workbook visualisations across all honeypot activity in near real-time. Every event arrives pre-tagged with MITRE ATT&CK fields for immediate triage.
| Output | Format | Consumer |
|---|---|---|
| honeypot_audit.log | NDJSON | Cloudflare D1 / This Dashboard |
| honeypot_cef.log | CEF:0 | Microsoft Sentinel (via AMA) |
| syslog (LOCAL4) | CEF | Sentinel syslog connector |
How WPTrap is built, deployed, and hardened. Drag the diagram to explore the full pipeline
A dedicated Ubuntu server with Nginx TLS reverse proxy, systemd hardening, and a self-healing cron watchdog.
A high-interaction honeypot written in C that impersonates WordPress 6.4.3 with 40+ route handlers.
Bots try default credentials, brute-force XML-RPC, and fire SQLi, LFI, RCE, XSS, and SSRF payloads.
MITRE ATT&CK tagging, 55+ attack signatures, written simultaneously as NDJSON, CEF, and syslog.
Events forwarded in real time to LOCAL4 syslog in Common Event Format.
The AMA picks up syslog entries and forwards structured events to Azure Log Analytics.
Cloud-native SIEM for KQL queries, workbooks, and automated detection rules.
NDJSON log snapshots are periodically uploaded here for anyone to explore.
Written in ~1,600 lines of C withpthreads?Plain EnglishA way for a program to do many things at the same time, like a restaurant with multiple waiters serving different tables simultaneously. for concurrency. Each connection gets a dedicated thread with a 256 KB stack, allowing 500 concurrent sessions in roughly 128 MB of RAM.
Impersonates WordPress 6.4.3 with realistic wp-login.php, XML-RPC, REST API user enumeration, and 40+ route handlers covering plugins, themes, uploads, and common exploit paths. Returns proper Apache/2.4.58 + PHP/8.2.15 headers.
Runs on an AWS Lightsail instance behind nginx TLS reverse proxy?Plain EnglishA gatekeeper that encrypts all traffic (the padlock icon in your browser) and forwards requests to the honeypot behind the scenes.. CI/CD?Plain EnglishContinuous Integration / Continuous Deployment. An automated assembly line: every code change is tested and deployed automatically, like a factory conveyor belt. via GitHub Actions means pushing to master automatically compiles on the instance, installs the systemd?Plain EnglishA Linux tool that keeps programs running as background services. If the honeypot crashes, systemd restarts it automatically. service, and runs a smoke test.
Drops privileges?Plain EnglishAfter starting up, the server downgrades its own permissions so even if an attacker breaks in, they can't do much. Like a bank teller who locks the vault key in a safe after opening hours. to nobody after port bind. Hardened systemd unit?Plain EnglishA configuration file that tells Linux how to run and protect the honeypot service, with strict limits on what it can access. with memory caps (768 MB), filesystem protection, and NoNewPrivileges. Auto-heal watchdog checks health every 2 minutes. No shell execution, no file writes outside logs.
121 automated tests across 5 modules (pytest) validate endpoint correctness, credential capture, rate limiting, crash prevention (fuzzing?Plain EnglishThrowing random, broken, or unexpected data at the software to see if it crashes. Like shaking a vending machine to see if anything falls out., Slowloris, malformed HTTP), and SIEM?Plain EnglishSecurity Information and Event Management. A central system that collects security logs from many sources and helps analysts spot threats. log format compliance.
Simultaneous output to NDJSON?Plain EnglishNewline-Delimited JSON. A file format where each line is one self-contained record, making it easy for tools like Splunk to read one event at a time. (Splunk), CEF:0?Plain EnglishCommon Event Format version 0. A standardized way to write security log entries so that different security tools can all understand them. (Microsoft Sentinel), syslog?Plain EnglishA standard way for computers to send log messages to a central collection point, like a post office that forwards all mail to one address., and colour-coded stdout. Every event gets a unique ID, MITRE tags, and millisecond-precision response timing for correlation.
Attack techniques observed in the dataset, mapped to the MITRE ATT&CK framework