The admin interface of your site provides access to almost every piece of data stored, so don't leave the metaphorical gate lightly guarded. In fact, one of the only telltale signs that someone is running Django is that when you navigate to http://example.com/admin/, you will be greeted by the blue login screen.
In production, it is recommended that you change this location to something less obvious. It is as simple as changing the following line in your root urls.py:
path('secretarea/', admin.site.urls),
A slightly more sophisticated approach is to use a dummy admin site at the default location or a honeypot (see the django-admin-honeypot package). However, the best option is to use HTTPS for your admin area (and everywhere ...