Django default admin panel security

Question

Hello

I am curious about the security of default admin panel of Django. For a live Django website, I will be using Django admin for all management and it feels like simply asking username and password at the mysite.com/admin/ url is kinda weak against brute force attemps (or maybe dictionary based attempts. I have very little knowledge about auto hacking attempts)

What would you suggest for extra protection ?

my ideas are:

• only allowing admin/ login for specific ips. (I have no idea how to achieve this)
• asking recaptcha (I can find some infor for using recaptcha on django but do not know for admin login)

Thanks

Answer 1

Why do you think a username and password is weak? It seems to work for Google, so it's probably good enough for you.

I don't see how recaptcha would help you, and I think limiting access to certain IPs is probably only going to be useful if you're using Django in a corporate style setting, where you only ever want people to access your admin site from within the corporate network, though even that will probably burn you in the long run when internal IPs change for some reason.

If you're concerned about brute force attacks, you might be interested in Luke Plant's comments on this thread in the django-developers mailing list, and this post by Simon Willison, one of the lead developers of Django.