[Fixed]-How can I change the URL to the Django admin interface?

11👍

Refer to the section ‘Hooking AdminSite instances into your URLconf’ in the url
below
https://docs.djangoproject.com/en/dev/ref/contrib/admin/#hooking-adminsite-to-urlconf

5👍

For those who find this question in recent times. Based on the Django 3.1 docs:

register the default AdminSite instance django.contrib.admin.site at the URL /admin/:

# main project urls.py
from django.contrib import admin
from django.urls import path

urlpatterns = [
    path("admin/", admin.site.urls),
]

you can simply change the admin/ url to anything you wish:

urlpatterns = [
    path("my_custom_url/", admin.site.urls),
]

3👍

If you do not want to use the default page /admin you can add a secret key to admin. So in urls.py

urlpatterns = [
    path('admin_eTiOmEthelInEwathbace/', admin.site.urls,),
]

If in your template you have a link

<a href="{% url 'admin:index' %}">Admin</a>

then this will reference to the above site with url: http://127.0.0.1:8000/admin_eTiOmEthelInEwathbace/

Now you do not want to publish this secret_key, therefore get it from an environment variable with for example decouple, so urls.py then becomes

from decouple import config
SECRET_ADMIN = config('SECRET_ADMIN')

urlpatterns = [
    path(f'admin_{SECRET_ADMIN}/', admin.site.urls,),
]

3👍

If you want to prevent brute force or dictionary attack and your admin login page not accessible for unauthorized user,normal user. please follow this step:

First install django admin honeypot and signal

pip install django-admin-honeypot(inastall in settings.py)
pip install django-honeypot-signals(inastall in settings.py)

override this .txt file(because future tag is deprecated):

templates/honeypot_signals/notification.txt:

{% load i18n %}
{% blocktrans with site_name=site.name %}
{% endblocktrans %}

Invalid login attempt from your duplicate ADMIN panel..
• Review entry at http://{{ site.domain }}{% url "admin:admin_honeypot_loginattempt_change" object.id %} 

Username: {{ object.username }}
IP: {{ object.ip_address }}
Timestamp: {{ object.timestamp }}

django-admin-honeypot make a fake admin login page and django honeypot signal send email to admin with credentials if any person try to access your fake admin login page.

How to access main admin login page?:

  • pip install django-decorator-include

Your main urls.py:

from django.contrib import admin
from django.urls import path
from django.urls.conf import include
from . import settings
from decorator_include import decorator_include
from django.contrib.auth.decorators import login_required, user_passes_test
from django.core.exceptions import PermissionDenied
from django.core.mail.message import EmailMessage
from datetime import datetime
from django.views.generic.base import RedirectView

def only_user():
    def check(user):
        if user.is_authenticated and user.is_superuser or user.is_staff:
            return True
        
        time = datetime.now()
        message = f'----------------------------------\nName: {user.username}\nEmail: {user.email}\nTime: {time}.\n----------------------------------\n • {user.username} is not a staff user or admin.For some security reasons..Please block this user from your admin panel(Blacklist).'
        
        email = EmailMessage(
                            f'📛📛📛Alert!! {user.username} is try to accessing your admin panel!!', 
                            message,
                            settings.EMAIL_HOST_USER,
                            [settings.EMAIL_HOST_USER], 
                            )
        email.fail_silently = False
        email.send()
        
        raise PermissionDenied
    return user_passes_test(check)

urlpatterns = [  
                 
    path('', include('product.urls')),
    
    #This is all fake admin urls...
    path('admin/', include('admin_honeypot.urls', 
          namespace='admin_honeypot')),
    path('site/admin/',RedirectView.as_view(url='/admin')),
    path('user/admin/',RedirectView.as_view(url='/admin')),
    path('secure/admin/',RedirectView.as_view(url='/admin')),
    path('mysite/admin/',RedirectView.as_view(url='/admin')),
    path('admin/secure',RedirectView.as_view(url='/admin')),
    path('real/admin/',RedirectView.as_view(url='/admin')),
    
    #This is real admin login page url
    path('custom_url/', 
         decorator_include([login_required, only_user()], 
         admin.site.urls)),

]

For this way you can not access directly your admin login page.. first you need to login your website and then accessible your admin panel..

How to protect website’s login page from the attackers?:

 - Use django defender (https://django-defender.readthedocs.io/en/latest/)
 ---------------------OR-------------------------
 - Use google hidden(ReCaptchaV2Invisible) recaptcha field 
 (https://pypi.org/project/django-recaptcha/)

If any unauthorized users terrible activity detected.You block their IP address or username by using this django package:

pip install django-blacklist

Read docs : django-blacklist

•sorry for my English

Leave a comment