Move the .htaccess file down one level and have it refer to moodledata. As it is, the bad guy can delete the .htaccess since it's in a world-writeable directory.
Use something like this:
RewriteRule moodledata - [F]
(not tested)
It's always better to have any world-writeable file outside of docroot or cgi-bin, but the above is better than putting the .htaccess within moodledata/.