"In general, you should only use .htaccess files when you don't have access to the main server configuration file. There is, for example, a common misconception that user authentication should always be done in .htaccess files, and, in more recent years, another misconception that mod_rewrite directives must go in .htaccess files. This is simply not the case. You can put user authentication configurations in the main server configuration, and this is, in fact, the preferred way to do things. Likewise, mod_rewrite directives work better, in many respects, in the main server configuration." -- Apache.org
I would recommend configure Fail2Ban to monitor Apache Auth via HTPasswd
Basically instead of the code going into
It goes in
This speeds up Apache because it does not have to search each directory recursively for .htaccess, it has all the information needed in once file, apache2.conf
Ok so lets secure
Lets Edit Apache2.conf, then create the directory to be protected, then create the .htpasswd file to store Username and Encrypted PWD and finally restart apache to enable changes.
NOTE: -c falg after htpasswd creates new file, do not use if adding to .htpasswd as it will overwrite old file (AKA Clobber)