17

For an extra little bit of security I want to change the default django admin url to the custom one, e.g. change mysite.com/admin/ to mysite.com/mysecretadmin/ so that admin is completely unaccessible via default url.

I tried some solutions from the internet, for example I changed urls.py like this:

from django.conf.urls import patterns, url, include from django.contrib import admin admin.autodiscover() urlpatterns = patterns('api.views', ..., ..., url(r'^secret-admin-url/', include(admin.site.urls)), )

Nothing worked for me, sadly. Does anyone know the solution? I use django 1.5.4.

Improve this question
2
  • That's the correct solution. You can try to put it on top of your list for debugging purposes. Commented Jun 11, 2014 at 11:58
  • It turns out that I was using wrong urls.py file. My app has two - one main urls.py and one app-specific urls.py in app directory. You have to change main urls.py file. Commented Jul 21, 2014 at 14:27

4 Answers 4

Reset to default
11

Refer to the section 'Hooking AdminSite instances into your URLconf' in the url below https://docs.djangoproject.com/en/dev/ref/contrib/admin/#hooking-adminsite-to-urlconf

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

The above link seems to be broken now
@PrakharAgrawal if you are using newer version of django, try changing url of admin url(r'^<custom-url>/', admin.site.urls),. This is working without any issues with recent versions of django.
That was giving errors after every few requests for some unknown reason, in the beginning, still unknown to me. And the error said that ^admin$ was still a valid url. Over the time it became more stable and it works now. I am very confused to as why that happened, and so I thought I might need to change somewhere else.
to add security change admin/ to something like admin_NAtEsoNsibingSTilEBOl. When you use href="{% url 'admin:index' this will then reference to this link...
5

For those who find this question in recent times. Based on the Django 3.1 docs:

register the default AdminSite instance django.contrib.admin.site at the URL /admin/:

# main project urls.py from django.contrib import admin from django.urls import path urlpatterns = [ path("admin/", admin.site.urls), ]

you can simply change the admin/ url to anything you wish:

urlpatterns = [ path("my_custom_url/", admin.site.urls), ]
Improve this answer

Comments

4

If you do not want to use the default page /admin you can add a secret key to admin. So in urls.py

urlpatterns = [ path('admin_eTiOmEthelInEwathbace/', admin.site.urls,), ]

If in your template you have a link

<a href="{% url 'admin:index' %}">Admin</a>

then this will reference to the above site with url: http://127.0.0.1:8000/admin_eTiOmEthelInEwathbace/

Now you do not want to publish this secret_key, therefore get it from an environment variable with for example decouple, so urls.py then becomes

from decouple import config SECRET_ADMIN = config('SECRET_ADMIN') urlpatterns = [ path(f'admin_{SECRET_ADMIN}/', admin.site.urls,), ]
Improve this answer

Comments

2

If you want to prevent brute force or dictionary attack and your admin login page not accessible for unauthorized user,normal user. please follow this step:

First install django admin honeypot and signal

pip install django-admin-honeypot(inastall in settings.py) pip install django-honeypot-signals(inastall in settings.py)

override this .txt file(because future tag is deprecated):

templates/honeypot_signals/notification.txt:

{% load i18n %} {% blocktrans with site_name=site.name %} {% endblocktrans %} Invalid login attempt from your duplicate ADMIN panel.. • Review entry at http://{{ site.domain }}{% url "admin:admin_honeypot_loginattempt_change" object.id %} Username: {{ object.username }} IP: {{ object.ip_address }} Timestamp: {{ object.timestamp }}

django-admin-honeypot make a fake admin login page and django honeypot signal send email to admin with credentials if any person try to access your fake admin login page.

How to access main admin login page?:

  • pip install django-decorator-include

Your main urls.py:

from django.contrib import admin from django.urls import path from django.urls.conf import include from . import settings from decorator_include import decorator_include from django.contrib.auth.decorators import login_required, user_passes_test from django.core.exceptions import PermissionDenied from django.core.mail.message import EmailMessage from datetime import datetime from django.views.generic.base import RedirectView def only_user(): def check(user): if user.is_authenticated and user.is_superuser or user.is_staff: return True time = datetime.now() message = f'----------------------------------\nName: {user.username}\nEmail: {user.email}\nTime: {time}.\n----------------------------------\n • {user.username} is not a staff user or admin.For some security reasons..Please block this user from your admin panel(Blacklist).' email = EmailMessage( f'📛📛📛Alert!! {user.username} is try to accessing your admin panel!!', message, settings.EMAIL_HOST_USER, [settings.EMAIL_HOST_USER], ) email.fail_silently = False email.send() raise PermissionDenied return user_passes_test(check) urlpatterns = [ path('', include('product.urls')), #This is all fake admin urls... path('admin/', include('admin_honeypot.urls', namespace='admin_honeypot')), path('site/admin/',RedirectView.as_view(url='/admin')), path('user/admin/',RedirectView.as_view(url='/admin')), path('secure/admin/',RedirectView.as_view(url='/admin')), path('mysite/admin/',RedirectView.as_view(url='/admin')), path('admin/secure',RedirectView.as_view(url='/admin')), path('real/admin/',RedirectView.as_view(url='/admin')), #This is real admin login page url path('custom_url/', decorator_include([login_required, only_user()], admin.site.urls)), ]

For this way you can not access directly your admin login page.. first you need to login your website and then accessible your admin panel..

How to protect website's login page from the attackers?:

 - Use django defender (https://django-defender.readthedocs.io/en/latest/) ---------------------OR------------------------- - Use google hidden(ReCaptchaV2Invisible) recaptcha field (https://pypi.org/project/django-recaptcha/)

If any unauthorized users terrible activity detected.You block their IP address or username by using this django package:

pip install django-blacklist

Read docs : django-blacklist

•sorry for my English

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.