Put .htaccess for folderprotection into vhost or include in vhost
AuthType Basic
AuthName "Members Only"
AuthUserFile /var/www/clients/clientXXXXX/webXXXXXX/web/.htpasswd
require valid-user
No Problem with overwrite, ftp cant change it. If ftp hacked -> cant remove password protection