How to protect directories? URGENT

I am a new here.
I am having problems to understand how to setup security here. I have read various documents about .htacccess and .htpasswd.

So, per default, the webroot (The directory which is accesible when some opens my host in his browser) contains 3 directories:

… and some directories, I have created, for example a Joomla Installation.

All these directories (except my Joomla administrator directory) are not protected.

Now, this means my host is wide open!

So, I do understand, that I can place appropriate .htaccess files. And, outside of the webroot, a .htpasswd file.
But how can place a .htpasswd outside of the webroot? If I access my host via FTP, I can only go into my webroot.
And, furthermore, I read that there is a tool for generating the .htpasswd, which I can execute via SSH. But I dont have credentials for SSH, nor do I know where and if I can access this tool?

What I am missing here?

Please, I need help urgently, I fear my host gets compromised…


by default there is nothing to protect at all, these folders are just templates, you may safely delete them.

To avoid that listing you may either want to create an empty index.html, use “Options -Indexes” within your .htaccess file, or place a .htaccess & .htpasswd in your root directory there - the htpasswd-strings can be created using online tools, no ssh login is necessary here; the path to that .htaccess file can be included within the .htaccess file, see tutorials.