I recently came across this python module, django-admin-honeypot, and it's genius! The way django-admin-honeypot works is that it changes the /admin route to a fake login page and logs any login attempts in the database. See my PR for more details on the implementation.

Try logging into my admin page with whatever username/password you want.


I store every login attempt in the database for later review. The username field tells me what username they tried to use (don't worry, I don't know what password you tried).

Django admin page showing an attempted login

If I want to be extra hardcore, I could use a combination of the admin-honeypot signal hook and a tool like fail2ban to block any IP address that tries to login on this page (don't worry, I haven't implemented that, so hack away).

If you add this entry into your signals.py file, you can catch all login attempts to this page with the user's IP address as a local variable. I might add an email notification to my implementation so I get an email as soon as someone tries to login.

from admin_honeypot.signals import honeypot
def my_callback(sender, **kwargs):
    print("Caught ya!")
    # send an email to the webmaster?

Haven't caught any hackers or bots yet, but was sure fun to implement!