Hey Simon,
here's an idea: use 4 different mayor directories
1. application
2. template
3. data
4. public
shield the dirs 1-3 and give only public access to the last one. Now, different data has different vars. I personally use md5 hash codes to separate the data files (in most of my cases they are cache files). If you are using php then md5($QUERYSTRING) is probably your best bet. Also , you can easily use the first line of the data file for your vars and remove them with php before editing the file in a wysywyg editor.
Now, the idea of public and non public dirs make your application more secure. Oh and use sessions for the login (if possible, the admin should be over https)
Hope this helps a little.
--
Sincerely,
Jaan Jänesmäe