There is a basic HTTP authentication on my website

Why is the form here in the first place?

Your website is under a ‘brute-force’ attack at the moment. Brute-force attack is an attack based on attempt to guess the password by trying numerous options. This particular attack aims your website administration panel.

To prevent your website from being hacked and to increase its security, we have taken additional security measures.

How can I now access the website administration panel?

By any access attempt to your website administration panel (whether it’s Joomla or WordPress), an additional login-password dialogue box will appear with the caption «please use your control panel password». The login required is your hosting service login, which looks like ‘u1234567’. The password required is your current password used for the hosting service.

After the basic HTTP authentication succeeds, you will see a standard authorization field of your website administration panel. There you will have to enter the administrator login and password of your website.

How basic HTTP authentication works?

The login and password entered to the basic authentication window will be compared to the values in a special file ~/etc/users, which can be accessed from the hosting control panel. File contens look similar to this: ‘u1234567:dm48bspxIO3rg’. Here, ‘u1234567’ is the login and ‘dm48bspxIO3rg’ is the password hash (important: not the password itself!). Password hash is a result of a certain algorithm applied to the password.

Thus, when you enter your login and password to the basic authentication window, your password’s hash is compared to the hash specified in the ~/etc/users file. If these match, the authentication attempt is successful.

I cannot pass basic authentication

You must be entering a wrong password. Please specify a new password for basic authentication:

  1. generate a new password using Online Generator. Enter your login ‘u1234567’ to the ‘Username’ field and a new basic authentication to the ‘Password’ field. Press Generate!: You can also create a new login-password combination from the scratch. The generator will supply you with a line that will look similar to this: ‘u1234567:sl6cJAxtvRHJs’. Here: ‘u1234567’ is the login; ‘sl6cJAxtvRHJs’ is the password hash. Copy this line;
  2. open the hosting control panel: How to open the hosting control panel. Proceed to the file manager and go to the ‘etc’ directory. Open the file named ‘users’ and replace its contents with the line from the generator at the step 1. Please note that the file will contain a hash of the password, but in the HTTP authentication window, you will need to enter the password itself.

If you successfully completed a basic authentication, but you cannot access your Joomla or WordPress website administration panel, reference should be made to:

How to reset the administrator password for Joomla
How to reset the administrator password for WordPress

How to improve my website protection against ‘brute-force’ attacks?

In order to improve your website security, we recommend you to avoid standard website administrator logins, such as ‘admin’ or ‘administrator’. You should also use only complex passwords. To increase your website protection:

  • change your superuser login to a more elaborate one. Don’t use short names. It’s better if your username comprises of both first name and family name. There are lots of Internet resources where you can find a collection of the most popular logins. Learn them and never use them in the future;
  • pick up a complex password for your website administrator account. Complex passwords contain both uppercase and lowercase letters, numbers and special characters, such as *, —, _, #, : etc. The recommended length is 10 characters or more, but under no circumstances it shall be no shorter than 6 characters.

How to disable the basic HTTP authentication form?

We don’t recommend you to disable this protection immediately upon the notification. Brute-force attacks can last for significant period of time.

To disable the basic HTTP authentication form, do as follows.

Joomla

Proceed to your website directory and then to the ‘administrator’ folder. Open the ‘.htaccess’ file and comment out or delete the following lines:

<Files index.php>
AuthType Basic
AuthName "please use your control panel password"
AuthUserFile .../users
Require valid-user
</Files>

To comment out a line, use the number character (‘#’) in the beginning of every line:

#<Files index.php>
#AuthType Basic
#AuthName "please use your control panel password"
#AuthUserFile .../users
#Require valid-user
#</Files>

WordPress

Proceed to your website directory and open the ‘.htaccess’ file. Then comment out or delete the following lines:

<Files wp-login.php>
AuthType Basic
AuthName "please use your control panel password"
AuthUserFile .../users
Require valid-user
</Files>

To comment out a line, use the number character (‘#’) in the beginning of every line:

#<Files wp-login.php>
#AuthType Basic
#AuthName "please use your control panel password"
#AuthUserFile .../users
#Require valid-user
#</Files>