Config for protected folders in Apache should be done in vhost file
Currently a .htaccess file is used to realize folder protection which is not recommended (https://httpd.apache.org/docs/2.4/howto/htaccess.html#when). This should be done directly in the vhost file with an additional
<directory> directive. The .htpasswd file could go for example to
/var/www/.../private and not be accessible via web even if the user makes a strange config (or stay where it is).
(Background is that I had a user who set the option "Apache AllowOverride=none" for performance reasons without realizing that this disables the password protection)