To enable users to protect a directory using the Proected Web Directories module their virtualhost needs an "AllowOverride AuthConfig" directive added to the <Directory $HOME/public_html> block.

This isn't added by default, and the protected web directories module does not add it.

What is the best way to enable this for all sites? Either as i've described above, or to enable it globally with

<Directory /home/>
AllowOverride AuthConfig
</Directory>

Which is the simplest way.. But I remember reading that there were performance issues related with .htaccess, due to apache having to look up the directory structure for each request to determine if a htaccess file existed higher up.

It seems the best solution is to add a directory block for each directory you want to protect, so that apache will not look for htaccess's outside of that directory. However this could get a bit messy and isn't currently supported by webmin/virtualmin (or have i missed it ;))

I've also just noticed that if i set "Password-protect statistics?" to Yes that it creates the file "htpasswd" in the stats directory, which should be ".htpasswd".

It does not create a ".htaccess" file or add the appropriate directive to the virtual host.