Http Basic Auth

John shared this idea ago

Needs Review

I think cpanel should have features to force all its user to use http basic auth for CMS website while login in administrator section. Attackers these days tries multiple times to login in administrator section. If http baisc auth is enabled I think hackers have to pass it first before they attempt actual cms admin page login.

I have not found such features in cpanel. Is it good or not?

I like this idea 0

Replies (2)

Aila ●

Are you looking for a feature in cPanel & WHM, or a feature within your CMS?

i.e. where would the change actually be implemented?

URL

John ●

It is for cpanel feature. Anyone can do http auth within CMS.

URL

Aila ●

We provide HTTP Basic Authentication, as well as form authentication, within cPanel & WHM. We strongly discourage use of HTTP Basic Authentication as it is less secure than form authentication (see https://documentation.cpanel.net/display/CKB/Basic+Security+Concepts).

Are you asking that if a user is logged into the cPanel interface (e.g. port 2083) the user is required to re-authenticate before being able to use WHM functions (e.g. functions available on port 2087)?

URL

John ●

Forgive me if I am not clear. I want to have something like Force user to use HTTP Basic Auth for their CMS admin page. for example we may have multiple websites hosted in same server where user uses different kinds of cms application. lets say two of the most used cms application are WordPress and Joomla. Their admin login page would be /wp-admin and /administrator. I want every user to forcefully use the http basic auth in these folder. Similar to Password Protect Folder in cpanel. But I want to do this for all user from WHM.

URL

Aila ●

OK, that makes a bit more sense. You want the ability to enable HTTP Basic Auth on specific URLs from WHM. Thanks for the clarification.

Do you want the password protection to apply automatically to every domain hosted on the server?

How would you provide passwords to the users?

URL

John ●

Actually I just want the option to force the user to apply httpd basic auth in their admin section of CMS. The idea is we do not change the password, clients will. When user visited their cpanel then the message should display there mentioning that "your server administrator has force the use of http basic auth in your admin section" or something like that. OR if client install CMS then cpanel should recognize it and ask then if they want to use another level of security in their CMS admin section.

URL

Aila ●

From the discussion this request seems like it would be a very frustrating experience for the user, without any clear benefits being offered. Requiring two separate logins to access the admin section of a CMS (the HTTP Basic Auth plus the CMS authentication) will not prevent problems. It will more than likely drive users away from your service.

In addition the desire to have cPanel & WHM detect the installation of a CMS borders on the impossible. While it is possible to somewhat reliably detect the installation of the handful of common applications, such as wordpress, it is impractical to expect a server control panel to know about every single CMS in existence, both now and in the future. That doesn't even take into consideration custom CMS applications.

There are other ways to mitigate brute force attacks, such as firewall rules, 2 factor auth in the CMS, and the like.

This request, while being an interesting idea, is not something we will implement.

URL

John ●

Okay. just a thought.

URL