Web hosting providers seldom permit clients to create 'ini' files on a shared server so htaccess is a good place start.

Then make sure you validate all form fields and  url inputs to prevent XSS (cross site scripting) and SQL injection if your site uses a database.

Never use Javascript for Password protection unless you employ AES or DES encryption of the data (web hosts don't like people doing this because they cannot read the data and don't know what you're keeping on their server!)

Some protection against 'site-scraping' can be achieved by dynamically altering the CSS file and corresponding class/id names. Javascript can also be used to great effect to either write or swap page contents around because bots can only read it but not execute it. A smaller version of this trick uses javascript to 'cloak' an email address from harvester bots.

Contact form scripts are another area often overlooked. Again make sure the fields are validated and do try to include some anti-bot measures such as a 'Captcha' or checking of the referer and useragent variables for known bots. Adding an IP based flood control to prevent the same IP sending multiple messages in a small time frame can also save a lot of headaches as well.

Buried in the  T&C for many webhosts is a clause about accounts may be automatically suspended for Spamming. Normally spamming applies to you sending emails to multiple recipients in short space of time, however a contact form being clicked bombed by a neferious competitor creates the same result and your account gets a temporary ban as a result until a human  with admin status  looks at where all the email was sent.