First, be clear that there is more than one way to password-protect a website or a directory (folder) inside a website. One is to use a database management system to control what everybody sees. Another is to use simple htaccess files to require a password. Regardless, Hydra is an app to brute-force website logins, including just about any service you can get to over the Internet.
Assignment: First, watch this video.
Note that there are more videos in this series. Click the Youtube link to find them there.
Mutillidae is another pre-built vulnerable web app. It’s highly aligned with the OWASP testing organization (which can take you wildly deep into the world of web app testing). You can install it side-by-side with other web apps by simply putting it in a separate sub-folder. (How does mutillidae/ sound for a name?)
You should be testing your site. If you don’t – or even if you do – other people will. So get familiar with some of the tools of the trade. Use a local website development tool like XAMPP so you can host vulnerable websites on your security testing computer.
Damn Vulnerable Web App is exactly that: a testing website that’s prebuilt for you, ready to unzip into a folder in your web root. DO NOT run your local web service (like XAMPP) with this web app installed while you are accessible from the Internet. It’s called Damn Vulnerable for a reason. Suggestion: set it up in a virtual machine.
Your site is likely to be attacked by known, old exploits, unless you’re a spy site. Don’t be relieved. You still have to protect your site against all those old threats, and the probabilities are way too great that something evil’s going to work.
Fortunately, truly rigorous auditing can keep you certain that your site is protected against the known threats.