One great way to secure any WordPress site is to secure the wp-config.php file using .htaccess. You are likely aware of how important the wp-config.php file is, but maybe you don’t know that people can access that file even if they are not signed into your site.
If someone puts in the URL to your site and the file name, they will see a blank page because WordPress hides the content. However, a smart hacker knowing the right parameter will be able to see everything in that file.
The first step is to log into your hosting account. Go to the file manager and find the right website and document root for that website. You can also do this using FTP if you are more comfortable (it is how I do it all the time). You will find a file called .htaccess. Add the following code:
# BEGIN Protect the wp-config.php file
deny from all
# END Protect the wp-config.php file
This will make it so your wp-config.php cannot be accessed.