work with .htaccess instead
If you use the webassist folder as "admin" folder you can put the whole stuff behind a .htaccess login. All admin pages are safe at once because the server's authentication models does not protect single files but a whole subdirectory. All you have to do, is to put the userfiles directory outside this directory so that it is public accessible.