Is .htaccess directory restriction enough?

Question

I'm building a Mp3 store with Drupal and Ubercart. I would like to implement the best security measures to proctect the content from hackers etc. I have a file directory with .htaccess file

Contents of the .htaccess file

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Deny from all
Options None
Options +FollowSymLinks

Is this enough or should the mp3 files be stored outside of the webroot?

Does VPS Hosting provide better security than shared hosting?

Answer 1

It appears that you have set file system to Private and files will be transferred via Drupal. From my experience, it works and it's almost secure, unless:

1. A third party can access your server via FTP or a higher protocol.
2. A user can gain access to execute PHP.
3. Make sure that, if you have IMCE or other file browser module enabled, these secured folders are not allowed to access.
4. Whatever plan you have, hosting company has access to your files. But usually, a correctly configured can be more secure than a shared host because you can use private temporary folders, and you can have more control over who can access your server and banning bad guys.