To run a really tight ship, you’ll want to stop users from setting up .htaccess files that can override security features you’ve configured. Here’s one way to do it: in the server configuration file, add the following:
<Directory /> AllowOverride None Options None Allow from all </Directory>
then set up for specific directories. This stops all overrides, includes, and accesses in all directories apart from those named.