First off, don't put passwords in the code: store them (hashed) in the database, then match against the POST'd pass (after you've hashed that as well).
Protecting code: if you make sure anoymous ftp is off as well as .htacess protect all folders with php scripts (deny from all) I THINK that would do it. Can anybody confirm? Some chmod'ing as well?
Note that .htaccess lets includes go though but I think it blocks header calls you make from scripts to a php file (if you have any). You probably don't need to protect every single php file though.
