Result of possible unsuccessful hacking attempt.

[Timbow]

Yesteray one of my sites was locked down by the hosting co after it triggered a spam alarm by sending out too many emails. The site has no email form or anything on the front end and never sends mail so the host support person is suggesting it could only be admin/resetpassword.php which is generating mail, in an attempt to guess a username and get a new password somehow. Why anyone should want to hack into this site is a total mystery.

Anyway, well done Shawn et al - it seems the system was secure enough. But several questions:

1. The hosts want to add a deny from all rule in the .htaccess file for the admin area and allow the access only for specified ranges of IP address. I would rather manage this myself but can someone tell me how it is done? and if it is wise?
   
2. Is there anything else I should or could do to prevent a repeat attempt? Could I limit the number of emails sent for password reset for instance?
   
3. I thought I had better reset my own password and attempted to do it via the login and email rather than via the back end. I think the email address I left on the site is redundant so I never got the reset message. Can someone remind me how I get back my password by ftp? I upload a new user.xml file or something?