Publicly exposed Django admin becomes high-value attack target

Django /admin/ endpoint is accessible from the public internet without IP restrictions, VPN requirement, or network isolation, making it a target for credential stuffing and brute force attacks.

Restrict admin access: deploy behind VPN or private network, use IP allowlisting at proxy/firewall, move to separate hostname, or require MFA. Monitor admin access logs for unusual locations or failed login patterns. Never leave default /admin/ path publicly accessible.