401 Unauthorized in the service of evil

Faced the following situation. On the forum (fresh IPB), the attacker puts a picture that is in a closed area. The user requests the page and receives an error 401 with everything inherent - the login and password entry window. Divorce, of course, is designed for extremely inexperienced users and most likely not new, but nonetheless.

Nevertheless, IPB is not protected from this, and with it, I dare to suggest, there are still a lot of resources, including our beloved Habr. Anyone can make sure of the latter using a draft copy; For obvious reasons, I will not give an example myself.

It would be interesting (and I think, not only me) to know your thoughts and suggestions on this matter.