There are many security guides that recommend protecting your hidden files (.htaccess, .htpasswd etc.) with .htaccess rules.
So to protect your hidden files, just add this code snippet to your main site .htaccess file.
# Deny access to hidden files - files that start with a dot (.)
<FilesMatch "^\.">
Order allow,deny
Deny from all
</FilesMatch>If you are using a VPS or dedicated server, you can add this code in the /home/.htaccess file, so it will protect hidden files on all the sites.
Notice that you will still be able to edit the file via FTP/control panel File Manager.
Related articles:
.htaccess articles