Let's say I lock down my site through .htaccess and say
DENY FROM ALL
ALLOW FROM myip
how involved is it for a hacker to to simply spoof their IP address to match whatever mine is and gain access?
For that matter, is the .htaccess secure enough to lock down specific files/directories?
Remember that TCP/IP requires 2-way communication. Yes, someone can spoof an IP (with difficulty), but in doing so, they break the ability to receive replies.
Spoofing an IP is usually better suited to "fire-an-forget" scenarios like DDoS.
As others have already explained, it is very unlikley that an attacker will be able to perform active TCP spoofing of your IP address. What is more likely is that you make a common mistake in you protection. Many tutorials use the following example of how to configure restricted access:
<Limit GET HEAD POST>
DENY FROM ALL
ALLOW FROM myip
</Limit>
If you were to use this style of protection an attacker could use verbs like GETS instead of GET and bypass your directive.
This is almost unfeasible because of several factors:
As TCP/IP employs three-way handshake, it is very difficult to an attacker start and mantain a usable TCP connection for a time long enough to extract useful information from your page.
Spoofing the source address will send the response to the spoofed IP, not the attacker's IP. He will not see any of the packets unless he have access to one host between your server and the spoofed address.
He must know all the allowed IPs from your .htaccess. This is unlikely to happen, because if he can read .htaccess, he can read all the other files.
There are other ways to read that data, like attacking and compromising your server, attacking your computer and installing malware, exploiting a Local or Remote File Include vulnerability or conning you into providing the credentials.
