Support

You have confused THREE different features.

First, the .htaccess Maker. There is no overlap with any other feature. We recommend that you enable it.

Second, the administrator password protection. It is a good idea enabling it to prevent attackers from trying to access your administrator login page. It does use a .htaccess file but it is DIFFERENT that the one created by .htaccess Maker. Pros: it is very efficient, since it's running at the web server level. Cons: it blocks access to all files under administrator unless you know the login credentials. Some very badly written components (like Zoo) will have a problem with that. Moreover there is no log of who got blocked.

The third feature is the administrator secret URL parameter. This has overlap with the administrator password protection. The difference is that this feature only protects the administrator login page, whereas the administrator password protection prevents access to anything inside the administrator directory (including CSS, images and other media files) if you don't know the login credentials. Pros: it doesn't block very badly components. Moreover it logs who got blocked and can be used with the automatic IP blacklisting feature of Admin Tools. Cons: since it's running at the Joomla! level, it is slower than the administrator password protection.

The best idea is to use all three features. If you can't, the use at least the .htaccess Maker and the administrator secret URL parameter features.

Enabling the administrator password protection is the simplest way: nobody can access anything in yoru site's administrator directory (not even an image) if they don't know the username and password.

If you can't do that, the back-end protection in .htaccess Maker will offer protection against common techniques to deduce the exact Joomla! version and direct web access to individual .php files (which can be used to launch attacks against vulnerable files, usually from older versions of components written with poor choices regarding security).

So, more protection (without the possibility to have any exceptions) is provided by the administrator password protection. If you can't / don't want to enable it OR you want to add exceptions to specific files/directories then the .htaccess Maker's back-end protection offers more than adequate protection.

As for redundancy, if you enable the administrator password protection then nobody can access anything inside the administrator directory unless they have a username and password. They have to get past this before the .htaccess Maker's back-end protection kicks in. So, the back-end protection is redundant under normal operating conditions. If you are super paranoid you can enable them both. This way even if someone does guess the username and password for the admin pw protection they won't be able to access vulnerable files or perform exact Joomla! version scanning against your site's back-end.

TL;DR: If you can enable them both, please do. I do on our site. It's a bit paranoid, but I'd rather be paranoid than hacked :)