On Wed, Dec 2, 2020 at 9:23 AM Collin Anderson <cmawebs...@gmail.com> wrote:
> > combination of blocking IPs and having a different admin URL would raise > the bar quite a bit. > > So having a different default admin URL would help, right? > Sure. But so would disconnecting the network cable from your server. :) It's all about practicality. Using something similar to django-axes raises the bar quite a bit, but simply obscuring the URL doesn't do much. I have plenty of apps exposed with the admin URL being '/admin/', but no one's been able to compromise the site because I use django-axes to block repeated attempts, and I have a strong password. On several of the sites I require logins with a YubiKey. In my worthless opinion, I think it would be better to leave it in the urlconf but commented out with a note that says "you might want to change the admin URL to something different before you enable it for $REASONS". Maybe have something in the docs on deploying your code into production that goes over it too. -A -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAEE%2BrGqvVXrAZbWwuieitTVTNuKzR%2B%2BWWqc-6HsO4LO0OhvEog%40mail.gmail.com.
