🚀 Features
Perfect Disguise
Looks identical to the real Django admin login - indistinguishable from the real thing.
No Database
Zero database interactions - completely stateless and lightweight.
No Logging
Doesn't store any credentials or attempt data. Privacy-focused by design.
Always Fails
Every login attempt shows "invalid credentials" error - perfect honeypot behavior.
Plug & Play
Setup in 2 minutes with minimal configuration required.
Django Native
Uses Django's actual admin templates and styling for perfect integration.
📦 Installation
pip install django-admin-trapAdd to INSTALLED_APPS
INSTALLED_APPS = [
# ...
'django_admin_trap',
]⚡ Quick Setup
Replace real admin (recommended for traps):
from django.urls import path, include
urlpatterns = [
path('admin/', include('django_admin_trap.urls')), # Fake admin
# ... your other URLs
]Perfect for production environments where you want to trap attackers on the main admin URL.
Use alongside real admin:
from django.urls import path, include
from django.contrib import admin
urlpatterns = [
path('admin/', include('django_admin_trap.urls')), # Fake admin
path('real-admin/', admin.site.urls), # Real admin (hidden)
# ... your other URLs
]Keep your real admin accessible but hidden on a different URL path.
Multiple trap endpoints:
from django.urls import path, include
from django.contrib import admin
urlpatterns = [
path('admin/', include('django_admin_trap.urls')),
path('wp-admin/', include('django_admin_trap.urls')),
path('administrator/', include('django_admin_trap.urls')),
path('real-admin/', admin.site.urls), # Your actual admin
]Catch attackers on multiple common admin URLs while keeping your real admin secure.
🛡️ Use Cases
1. Honeypot Security
Put traps on common admin URLs to catch automated attacks and curious intruders.
# Put traps on common admin URLs
urlpatterns = [
path('admin/', include('django_admin_trap.urls')), # Main trap
path('wp-admin/', include('django_admin_trap.urls')), # WordPress trap
path('real-admin/', admin.site.urls), # Your actual admin
]2. Development Mock
Use fake admin during development to avoid exposing real admin credentials.
# settings.py
if DEBUG:
urlpatterns = [
path('admin/', include('django_admin_trap.urls')), # Fake admin for dev
]
else:
urlpatterns = [
path('admin/', admin.site.urls), # Real admin for production
]3. Client Demos
Show clients the admin interface without giving them actual access.
# Show clients the admin interface without giving access
urlpatterns = [
path('demo-admin/', include('django_admin_trap.urls')),
]❓ FAQ
No. Zero database interactions. Completely stateless - no credentials or attempt data is stored anywhere.
It uses Django's actual admin templates and responses, making it very hard to distinguish from a real admin. The behavior and appearance are identical.
Minimal performance impact - just template rendering with no database queries or external API calls.
Yes! Put the real admin on a different URL path and use the trap on common admin URLs.
Works with Django 4.2+ and 5.x. Specifically tested and compatible with Django 5.0.4 and later versions.
🚨 Security Notes
- This is a deterrent, not a complete security solution
- Use in combination with proper security measures
- Keep your actual admin secure and hidden
- Monitor your traps for suspicious activity
- Consider using additional security layers like 2FA for real admin