Of course there is a lot that can be done with custom template fragments, but if "the point" of the htaccess article was to explain
why using a .htaccess file was a bad idea, I'm afraid it doesn't accomplish its goal very well. The only indication of security issues with .htaccess is the following text:
Htaccess is not enabled by default and .htaccess files are inherently exposed to the Internet and require the correct permissions to be applied to ensure that unauthorised access is not allowed, therefore creating a security risk.
The recommended way to implement .htaccess on a SME server, is to use custom templates, which are only under the control of the administrator and cannot be tampered with by anonymous Internet users.
I disagree with the statement that .htaccess files are exposed to the Internet, as Apache appears to block them. Try it--create a .htaccess file (doesn't matter what's in it) in primary/html, change its permissions to 666, and then try to browse to yourserver/.htaccess. You'll get a 403-Forbidden message (it will do the same even if there's no .htaccess file). I also disagree that this fact, even if it were true, poses a security threat--at least in the use case we're discussing, the only thing an attacker would see is the IP range with access to the directory. Perhaps in a situation where the .htaccess file contained specific usernames with access (as one of the examples in that wiki page), this would be a greater threat.
I further question how "anonymous Internet users" can "tamper[] with" the .htaccess file. Even if it is world-writable (which it shouldn't be, though I'll admit I haven't said anything in my wiki page about permissions), an attacker would need to be logged into the server, or have found a remote code execution vulnerability in Apache, to be able to modify the file. In such a case, an attacker could just as easily create a new .htaccess file as modify an existing one, so I again doubt that the existence (as opposed to the contents) of an .htaccess file could cause a security issue.
So, respectfully, I'm unconvinced that the use of .htaccess in this way is a significant security issue, or that moving its contents into a template fragment significantly improves security. The Apache docs (specifically,
http://httpd.apache.org/docs/current/howto/htaccess.html) do discourage use of .htaccess files, but primarily for reasons of performance, not security.
My reason for preferring to use .htaccess over a template fragment was simply that I wanted to keep the Joomla! installation as self-contained as possible, with minimal changes anywhere else in the system. The database is unavoidable, and of course the software needs a place to live (the ibay), but I didn't want to leave any unnecessary cruft in the system if/when I later decided to remove Joomla!.
What's much more important out of that article, and what I'd missed until I started writing this reply, is that by default in SME Server, AllowOverride is set to None for all ibays, which disables .htaccess files. This is the issue that's a showstopper for my use of .htaccess. To make this work, I need to set a database configuration key, and if I need to muck about with that, I might as well do a custom template fragment. I'll update the wiki page to reflect that.