Manual.rst: add tip how to use .htaccess.

extension/Documentation/Manual.rst

@@ -1274,13 +1274,17 @@ Secure direct file access
 -------------------------
 
 If the application uploads files, mostly it's not necessary and often a security issue, to offer a direct download of
-the uploaded files. Best is to create a directory, e.g. `<site path>/fileadmin/protected` and deny direct access via webbrowser to it.
-E.g. for Apache set a htaccess rule: ::
+the uploaded files. Best is to create a directory, e.g. `<site path>/fileadmin/protected` and deny direct access via
+webbrowser to it. E.g. for Apache set a rule: ::
 
 		<Directory "/var/www/html/fileadmin/protected">
 			Require all denied
 		</Directory>
 
+If you only have access to `.htaccess`, create a file `<site path>/fileadmin/protected/.htaccess` with: ::
+
+    deny from all
+
 **Important**: all QFQ uploads should then save files in or below such a directory.
 
 To offer download of those files, use the reserved columnname '_download' (see `download`_) or variants.