2
Replace the contents of mainfile.php with:
require_once('/path/to/protected/dir/mainfile.php') ?>
The path specified above is your "real" mainfile.php.
Alternatively, you could leave mainfile.php alone, and add an .htaccess file to the main XOOPS directory:
<Files "mainfile.php">
Deny from all
Files>