Thanks to everyone who offered suggestions. My webhost confirmed that it was a 'brute force' attack that got the password. They said that they have software in place to detect that with the main logins, but are in the process of installing it for FTP.
They didn't answer my question about SFTP so I'll ask again. Checking the logs I found that I was lucky enough to stumble onto the intrusion just a few hours after it happened - so at least that worked out. Meanwhile - I'm learning more about .htaccess commands... - MCC -- - - - - - - - - - - - - - - - - - - - - Mark Cassino Photography Kalamazoo, Michigan www.markcassino.com - - - - - - - - - - - - - - - - - - - - -- PDML Pentax-Discuss Mail List PDML@pdml.net http://pdml.net/mailman/listinfo/pdml_pdml.net