You can use .htaccess to PW protect a directory, then anything in the directory would require a PW to access...the only problem is that .htaccess is not real effiecient so it will leave the server susceptable to an inadvertant DoS atteack if someone tries to brute force the password, but a simple code that will block an IP addy after 3-4 attempts would take care of that.