static-first deception for Vite and VitePress sites

VitePot is a honeypot plugin for fake sensitive files on static sites.

Name: VitePot
Author: ItzNotABug

VitePot adds believable decoy files like /.env, /wp-config.php, and /backup.sql to Vite and VitePress builds so scanners, crawlers, and opportunistic bots waste time on bait instead of anything real.

bun add @itznotabug/vitepot Read the repo

Vite VitePress Honeypot Apache-2.0

vite.config.ts

import { vitepot } from '@itznotabug/vitepot'

export default {
  plugins: [
    vitepot({
      variants: ['cms-roots', 'archive-roots'],
      dirs: ['/legacy'],
      custom: [{ path: '/private.env' }],
    }),
  ],
}

/.env

/wp-config.php

/backup.sql

/.git/config

/vercel.json

/settings.py

/config.inc.php

What it does

Static bait for common scanner paths.

Believable decoys

Serve realistic-looking trap files that feel exposed enough to attract probes without leaking any real secrets.

Fits normal Vite workflows

Use middleware in development and emitted files in production builds without adding a separate honeypot stack.

Preset + custom traps

Start with built-ins for common paths, then add custom file names, directories, and generated content where you need more coverage.

Included targets

Credential bait

included

Environment-like files, cloud credentials, and framework config paths that commonly show up in scanner wordlists.

Source metadata

included

Git traces, framework configs, and deployment files that make the fake surface area feel more convincing.

Backups and dumps

included

Archive-style files, dump targets, and backup-looking paths for broader passive deception.

Runtime

Dev server

supported

Serves traps directly from middleware without writing bait files to disk during development.

Production build

supported

Emits trap files into the output so your deployed static site ships with bait already included.

Preview constraints

host-dependent

Local and production preview behavior depends on the static server or host, especially for dotfiles and PHP-like trap paths.

Ready to ship

Keep the site static. Make scanner probes less useful.

Best fit: Vite and VitePress sites that want low-friction deception, fake sensitive files, and a cleaner static-first bot trap surface.

Install package View source