How I Built a Django Honeypot to Catch Attackers (and What I Learned)

If you've ever managed a Django website, you've likely noticed the constant barrage of bots trying to break into your /admin/ page. These automated attacks range from brute-force password guessing to credential stuffing, and scanners probing for vulnerabilities. Watching my server logs flood with failed login attempts got me thinking: there has to be a better way to handle this than just relying on reactive measures like rate limiting. The main issue is that attackers know Django’s default admin path is /admin/, making it a prime target. They hammer this endpoint relentlessly, wasting resources and posing a real security threat if any credentials slip through. Rather than just reacting to attacks as they happen, I wanted a proactive solution that could mislead attackers and gather useful intel at the same time. So, I developed HoneyGuard, a Django package that sets up fake admin login pages—essentially honeypots. The trick is simple: you move your actual admin interface to a different URL like /secret-admin/, and HoneyGuard serves up a convincing fake login page at /admin/. This wastes attackers’ time and resources, while you can monitor their behavior closely. HoneyGuard isn’t just a dummy page. It actively detects suspicious behavior such as form submissions done way too fast—under 10 minutes is a red flag since humans take longer to type—and the filling out of hidden form fields designed to trick bots. It records each attempt with details like IP address, user agent, timestamps, and even metrics like username and password length (but not the actual password for security). A risk score is calculated based on anomalies and suspicious patterns, making it easier to prioritize threats. To keep you informed, HoneyGuard can send email alerts about high-risk attempts, and it integrates with Django’s signal framework for custom handling of events. For developers testing things out, console logging is also available to track honeypot activity locally. The setup is pretty straightforward: install the django-honeyguard package, add it to your installed apps, configure basic settings like email recipients, and update your URL routes to serve HoneyGuard’s fake admin page and safely relocate your real admin. That’s all it takes to set a trap for attackers while protecting your real backend. Along the way, I learned a few interesting things. Timing attacks are real—bots submit forms in milliseconds, way faster than any human could. Also, many bots try hitting WordPress admin URLs like /wp-admin.php even on Django sites, so HoneyGuard includes a fake WordPress login page to catch those too. I made sure to validate all settings at Django startup to catch misconfigurations early, and I prefer using Django’s signals over callbacks because it makes customization easier. Looking ahead, I’m thinking about adding features like Geo-IP blocking to temporarily ban repeat offenders, machine learning to detect complex attack patterns, and integration with tools like fail2ban for automated IP banning. I’m curious what other features users would find helpful, and open to suggestions. Overall, turning the default admin page into a honeypot changes the game from defending passively to actively misleading attackers and gathering valuable data. It’s a fresh take on securing Django sites that helps admins stay a step ahead of the bots.