Why Your Django Logs Are Full Of 404s

One of the most common things you will see in your logs once your site has been publicly available long enough is a bunch of 404 errors for URLs that, at a first glance, don't make sense. For example, you might see request for /wp-admin/or /user/login. While these paths may mean nothing to you, they do for a Wordpress or a Drupal admin.

Most of these request are made by automated bots mapping your site for, usually, malicious reasons. If you have a notification system for logging attempts, you'll likely find that they aren't just mapping your site, they're actively trying to gain control of it.

In the Django world there are some packages like django-axes or django-defender to block these attempts and notify you if something bad happens. However, this post is about something simple step, one that by the way shouldn't be your only hardening strategy, but that can reduce significantly the volume of those automated attacks: changing your admin URL.

Most bots aren't programmed to be flexible. Once they have exhausted their list of hardcoded URLs, they usually move on to the next site. More sophisticated attackers will eventually find your entry points, but those should be far less common.

How to change the admin URL

To change the admin URL in Django, we just need to go to our root urls.py and update the path as follows:

from django.contrib import admin
from django.urls import path

urlpatterns = [
 path('secret-admin/', admin.site.urls),
 #...
]

Maybe use environment variables

Personally, I prefer to use environment variables. I typically define a variable like DJANGO_ADMIN_URL and access it via the settings:

from django.conf import settings
from django.contrib import admin
from django.urls import path

urlpatterns = [
 path(settings.DJANGO_ADMIN_URL, admin.site.urls),
 #…
]