Skip to content
@WebDecoy

WebDecoy

Bot detection and remediation tools. Passive honeypots, behavioral analysis, and vision AI CAPTCHA to stop AI scrapers and sophisticated bots.
README.md

Bot detection and remediation for the AI era.
Passive honeypots, behavioral analysis, and vision AI CAPTCHA to stop scrapers and sophisticated bots.

Website · Live Demo · npm · WordPress

Open Source Projects

Project What it does
FCaptcha Self-hosted CAPTCHA Detects bots, vision AI agents, and headless browsers through 40+ behavioral signals and SHA-256 proof of work. Go, Python, and Node.js servers. Privacy-first, no external dependencies.
Node SDK Bot detection middleware TLS fingerprinting (JA3/JA4), rate limiting, and rules engine for Express, Fastify, and Next.js. Two-tier analysis with fail-open design.
WordPress Plugin WordPress bot protection Zero-config bot detection for WordPress and WooCommerce. SHA-256 proof-of-work challenges, behavioral scoring, rate limiting, and carding defense. Works on activation with no external dependencies.

What We're Building

Web Decoy is a platform for detecting and responding to automated threats — from basic scrapers to AI-powered agents that use vision models to navigate sites like humans do.

  • Decoy links — invisible honeypot traps that catch bots ignoring robots.txt, including GPTBot, ClaudeBot, and 20+ AI crawlers
  • Endpoint decoys — API honeypots that catch credential stuffing, injection attacks, and path enumeration with zero false positives
  • Behavioral analysis — TLS fingerprinting, mouse entropy, keystroke cadence, and timezone consistency checks
  • Vision AI detection — purpose-built to detect screenshot-and-click automation (Claude Computer Use, OpenAI Operator, and similar)
  • Response automation — integrates with Cloudflare, AWS WAF, and custom webhooks for real-time blocking

Quick Start

FCaptcha — one command:

docker run -d -p 3000:3000 -e FCAPTCHA_SECRET=my-secret ghcr.io/webdecoy/fcaptcha

Node SDK — add to any Express app:

npm install @webdecoy/express
import { webdecoy } from '@webdecoy/express';

app.use(webdecoy({
  apiKey: process.env.WEBDECOY_API_KEY,
  threatScoreThreshold: 70,
}));

WordPress — install and activate:

  1. Download from GitHub Releases
  2. WordPress Admin → Plugins → Add New → Upload Plugin
  3. Activate — protection starts immediately, zero configuration needed

Contributing

FCaptcha and the Node SDK are MIT-licensed. The WordPress plugin is GPLv2+. Issues and PRs welcome.

Popular repositories Loading

  1. FCaptcha FCaptcha Public

    Detect bots, vision AI agents, and headless browsers through 40+ behavioral signals and SHA-256 proof of work. Self-hosted, privacy-first, and fully open source.

    JavaScript 89

  2. wordpress-plugin wordpress-plugin Public

    WebDecoy Bot Detection — zero-config WordPress plugin for bot protection, spam prevention, and WooCommerce carding defense

    PHP 1

  3. node-sdk node-sdk Public

    Web Decoy Node.js SDK — rate limiting, bot detection, and rules engine

    TypeScript

  4. .github .github Public

    WebDecoy organization profile

Repositories

Showing 4 of 4 repositories

People

This organization has no public members. You must be a member to see who’s a part of this organization.

Top languages

Loading…

Most used topics

Loading…