How can I change the URL to the Django admin interface?

Asked 11/6, 2014 at 11:44 Answered 14/11, 2020 at 8:41

For an extra little bit of security I want to change the default django admin url to the custom one, e.g. change mysite.com/admin/ to mysite.com/mysecretadmin/ so that admin is completely unaccessible via default url.

I tried some solutions from the internet, for example I changed urls.py like this:

from django.conf.urls import patterns, url, include
from django.contrib import admin
admin.autodiscover()

urlpatterns = patterns('api.views',
    ...,
    ...,
    url(r'^secret-admin-url/', include(admin.site.urls)),
)

Nothing worked for me, sadly. Does anyone know the solution? I use django 1.5.4.

Schlessinger answered 11/6, 2014 at 11:44 Comment(2)

That's the correct solution. You can try to put it on top of your list for debugging purposes. – Pederast 11/6, 2014 at 11:58

It turns out that I was using wrong urls.py file. My app has two - one main urls.py and one app-specific urls.py in app directory. You have to change main urls.py file. – Schlessinger 21/7, 2014 at 14:27

Refer to the section 'Hooking AdminSite instances into your URLconf' in the url below https://docs.djangoproject.com/en/dev/ref/contrib/admin/#hooking-adminsite-to-urlconf

Clone answered 11/6, 2014 at 14:26 Comment(4)

The above link seems to be broken now – Microscopium 2/3, 2017 at 13:5

@PrakharAgrawal if you are using newer version of django, try changing url of admin url(r'^<custom-url>/', admin.site.urls),. This is working without any issues with recent versions of django. – Clone 2/3, 2017 at 14:54

That was giving errors after every few requests for some unknown reason, in the beginning, still unknown to me. And the error said that ^admin$ was still a valid url. Over the time it became more stable and it works now. I am very confused to as why that happened, and so I thought I might need to change somewhere else. – Microscopium 3/3, 2017 at 7:17

to add security change admin/ to something like admin_NAtEsoNsibingSTilEBOl. When you use href="{% url 'admin:index' this will then reference to this link... – Praseodymium 4/11, 2020 at 8:0

For those who find this question in recent times. Based on the Django 3.1 docs:

# main project urls.py
from django.contrib import admin
from django.urls import path

urlpatterns = [
    path("admin/", admin.site.urls),
]

you can simply change the admin/ url to anything you wish:

urlpatterns = [
    path("my_custom_url/", admin.site.urls),
]

Ancestress answered 8/11, 2020 at 7:4 Comment(0)

If you do not want to use the default page /admin you can add a secret key to admin. So in urls.py

urlpatterns = [
    path('admin_eTiOmEthelInEwathbace/', admin.site.urls,),
]

If in your template you have a link

<a href="{% url 'admin:index' %}">Admin</a>

then this will reference to the above site with url: http://127.0.0.1:8000/admin_eTiOmEthelInEwathbace/

Now you do not want to publish this secret_key, therefore get it from an environment variable with for example decouple, so urls.py then becomes

from decouple import config
SECRET_ADMIN = config('SECRET_ADMIN')

urlpatterns = [
    path(f'admin_{SECRET_ADMIN}/', admin.site.urls,),
]

Praseodymium answered 4/11, 2020 at 8:17 Comment(0)

If you want to prevent brute force or dictionary attack and your admin login page not accessible for unauthorized user,normal user. please follow this step:

First install django admin honeypot and signal

pip install django-admin-honeypot(inastall in settings.py)
pip install django-honeypot-signals(inastall in settings.py)

override this .txt file(because future tag is deprecated):

templates/honeypot_signals/notification.txt:

{% load i18n %}
{% blocktrans with site_name=site.name %}
{% endblocktrans %}

Invalid login attempt from your duplicate ADMIN panel..
• Review entry at http://{{ site.domain }}{% url "admin:admin_honeypot_loginattempt_change" object.id %} 

Username: {{ object.username }}
IP: {{ object.ip_address }}
Timestamp: {{ object.timestamp }}

django-admin-honeypot make a fake admin login page and django honeypot signal send email to admin with credentials if any person try to access your fake admin login page.

How to access main admin login page?:

pip install django-decorator-include

Your main urls.py:

from django.contrib import admin
from django.urls import path
from django.urls.conf import include
from . import settings
from decorator_include import decorator_include
from django.contrib.auth.decorators import login_required, user_passes_test
from django.core.exceptions import PermissionDenied
from django.core.mail.message import EmailMessage
from datetime import datetime
from django.views.generic.base import RedirectView

def only_user():
    def check(user):
        if user.is_authenticated and user.is_superuser or user.is_staff:
            return True
        
        time = datetime.now()
        message = f'----------------------------------\nName: {user.username}\nEmail: {user.email}\nTime: {time}.\n----------------------------------\n • {user.username} is not a staff user or admin.For some security reasons..Please block this user from your admin panel(Blacklist).'
        
        email = EmailMessage(
                            f'📛📛📛Alert!! {user.username} is try to accessing your admin panel!!', 
                            message,
                            settings.EMAIL_HOST_USER,
                            [settings.EMAIL_HOST_USER], 
                            )
        email.fail_silently = False
        email.send()
        
        raise PermissionDenied
    return user_passes_test(check)

urlpatterns = [  
                 
    path('', include('product.urls')),
    
    #This is all fake admin urls...
    path('admin/', include('admin_honeypot.urls', 
          namespace='admin_honeypot')),
    path('site/admin/',RedirectView.as_view(url='/admin')),
    path('user/admin/',RedirectView.as_view(url='/admin')),
    path('secure/admin/',RedirectView.as_view(url='/admin')),
    path('mysite/admin/',RedirectView.as_view(url='/admin')),
    path('admin/secure',RedirectView.as_view(url='/admin')),
    path('real/admin/',RedirectView.as_view(url='/admin')),
    
    #This is real admin login page url
    path('custom_url/', 
         decorator_include([login_required, only_user()], 
         admin.site.urls)),

]

For this way you can not access directly your admin login page.. first you need to login your website and then accessible your admin panel..

How to protect website's login page from the attackers?:

 - Use django defender (https://django-defender.readthedocs.io/en/latest/)
 ---------------------OR-------------------------
 - Use google hidden(ReCaptchaV2Invisible) recaptcha field 
 (https://pypi.org/project/django-recaptcha/)

If any unauthorized users terrible activity detected.You block their IP address or username by using this django package:

pip install django-blacklist

Read docs : django-blacklist

•sorry for my English

Ahouh answered 14/11, 2020 at 8:41 Comment(0)

Recommended topics

Hot tags