Skip to content

Securing your Django Admin by using a HoneyPot

Every Django Application has the magnificent Django Admin built in enabling you to access your database tables in a very nice way.

The url is typically admin/

The problem is that hackers also know the default admin url for a Django install is admin/

So what do you do? Well, you change the admin url in your base file

# Default admin url
# path('admin/',,

# New super secret admin url!

But sometimes that is not enough.

The above will hide your admin (you are picking a better name than secret_admin_url aren’t you?) but sometimes it’s useful to know who is trying to access your admin.

Enter the plugin django-admin-honeypot

Django Admin Honeypot creates an admin page for you that looks exactly like the real one. Its url is admin/ and it advises you to create a secret admin url that becomes your real admin.

Installation is simple:

pip install django-admin-honeypot

Then add it to installed apps:


Then update your base file:

urlpatterns = patterns(''
    url(r'^admin/', include('admin_honeypot.urls', namespace='admin_honeypot')),
    url(r'^secret_admin_url/', include(,

Then do a migrate:

python migrate

When hackers try to login to the default admin/ page – they won’t be successful.

The login attempt will be logged in your real admin.

From there you can attend to the probe as you wish.


So while a honeypot like this is not a perfect solution to securing your Django website – it is an excellent step to ensure your admin is not vulnerable to being probed.

Leave a Reply