...there are ways to determine what folders are present on a website...
and so theres always ways not to give out site directory structure, a proper setup 404 page being one of them.
...bad Apache configuration, Apache bug, shared hosting bug...
in that case one could only pray god morning & night or every 15 minutes for protection. and is there a bug to accept ANY password you may type in when prompted for one, if not why not?
...Anyone smart enough to write a bot that tries all osCommerce sites...
the word *smart* should be properly replaced by *stupid*. smart guy dont try those poor (poorer than a mouse) osc shops instead theyd spend their time on high profile sites which would need a proper guy to properly protect, and thats the real battle field.
...what FTP has to do with it...
ftp only has something to do with it is when someone claim the only way is pw protect it. ok, you have pw, plus SSL, if iwere hacker, id listen to your ftp traffic as MOST hosts do not offer SFTP to intercept your ftp details. now, even an dummy would now how to use ftp to rename a file to render it into useless. so all a sudden your .htaccess becomes nothing.
...Most shops might be able to get by without using SSL and never be exploited...
should add pw .htaccess to it. and dont forget some SSL itself is also exploitable as reported not so long ago. so if youare so worried, then you may develop a mental problem as the list of loophole would go longer and longer.
...does not apply to password protecting the folder, which is free.
...a small amount of time...
try to tell steve above or someone like him, they have been having almost life threatening troubles to try to do it, which is what prompts me to make my suggestion, to save their life!
knowing something does NOT neccesarily mean you have to use it anywhere anytime any situation.