Support

My question is I'm using Akeeba Admin Tools and it has already created an .htaccess for my website do I still need to create .htaccess for those folders mentioned above?

No, you don't. Before you shoot yourself in the feet, DO NOT put this .htaccess file in the components directory and ESPECIALLY in the administrator/components directory! The latter will break Joomla! Update and possibly other software including but not limited to Akeeba Backup's integrated restoration (it runs on a directly accessible .php file since, by definition, restoring a backup replaces your Joomla! installation making it impossible to run Joomla! while this is in progress - more on why that's safe later). That's why the author of that article did not tell you to do that. BUT! By not protecting the components folders' files from direct access you are not really adding up to your site's security. I'm afraid the author of that article didn't understand my Master .htaccess file or its fork over at the security page of the Joomla! wiki :)

Don't worry, though. Admin Tools has got your back. The .htaccess Maker has two features "Front-end protection" and "Back-end protection". These features deny access to all .php files (and a bunch of other files) unless explicitly allowed.

The files index.php and administrator/index.php are always allowed as these are the files which server your site's frontend and backend (even when you don't see index.php in the URL, there is some Apache URL rewriting magic behind the scenes). Also, we allow the restore.php files inside the backend folders of Akeeba Backup and Joomla! Update used to restore backups and update Joomla! respectively. This is safe because these files are inert until the point in time where a backup restoration / Joomla! update is taking place and even then they will only respond to encrypted messages with a key known only to the browser used by the Super User carrying out the relevant operation.

Moreover, all other static files are denied access except for very specific file types (CSS, JavaScript, fonts, bitmap images, vector images, videos) in the media directory of your site and inside the component's folders. This prevents access even to language INI files which can be used to indirectly -but accurately- detect the version of installed components. Allowing access only to media files makes that process far less accurate, therefore making it mostly useless to potential attackers, prowling for vulnerable sites.

On top of that, the .htaccess Maker makes it much easier for you to add exceptions to these rules which might be necessary for some extensions' features. For example, some e-commerce applications need to provide callback URLs to third party sites which handle credit card payments. In some cases this is done with bespoke .php files which do load up Joomla! and need to be allowed to be directly accessed. This is something you can't easily do with a bazillion .htaccess files in the components directory.

Executive summary (TL;DR)

• You don't need to and should not put .htaccess files all over the place.
• Admin Tools' .htaccess Maker does something even more secure than that.
• Admin Tools' .htaccess Maker allows you to add exceptions to these rules much easier, without having to deal with locating and editing arbitrary .htaccess files.