Welcome to WebmasterWorld Guest from 220.127.116.11
"For security, you should not upload the htpasswd file to a directory that is web accessible (yoursite.com/.htpasswd), it should be placed above your www root directory"
I'm confused as to how to do this. I'm using the ftp client that is provided by my webmaster and I don't seem to have access to anything other than my www root directory.
Web visitors can't get above your root directory, hence the suggestion. Another solution though is to add a directive to your .htaccess file that tells apache not to allow any requests for files that start with ".ht". Here's what I use:
<Files ~ "^\.ht">
Deny from all
Apache itself will still be able to read your ".ht..." files but not web site visitors.
The only caveat is that it's possible that your web host account may not allow you to have such a directive in your .htaccess file. My suggestion is to try it and see. And if you have problems, check with the webmaster you mentioned.