You may have read before that I have suggested securing the Sphider admin directory with password protection. After all, you don’t want to take a chance of someone else gaining access and changing all of your settings… or worse!
But Sphider has a number of other directories within it. What about those? Well, MOST of them can also be password protected. The rule is, if files in the directory only need to be accessed by PHP, it can be password protected. If any file in a directory needs to be accessed by a web browser, it shouldn’t be password protected. For example, the templates directory should not be password protected. It contains css files, which the browser needs to display search forms and results properly. Js_suggest should not be password protected, It contains javascript which the browser needs to access. The tmp directory (not the one in admin) should not be password protected as the browser needs to be able to read and write there. Other than that, go ahead and add password protection.
Oh! One more thing. Add SSL. That is something that at one time was expensive and primarily used by sites like businesses with checkout pages and such. Today, SSL in some cases can be free. DreamHost offers “Let’s Encrypt SSL” for free. Then there are self-signed certificates, also free (but not as trustworthy). The advantage of SSL is that when you do need to enter user name/password to one of your password protected directories, it can’t be intercepted.