The phpatm support forum (currently down) advises administrators to put a .htaccess into the users directory with the following content:
# no one gets in here! order allow,deny deny from all Furthermore the website recommends to rename the "users" directory and change the corresponding variable in the config-file. These two things done, it is no longer possible to download the hashes.
