They may have optimized WP environment but take one-step further for assured security.

Protect the wp-config.php file:

Protect WP blog core by taking a wp-config.php file to higher levels to the root directory. WordPress sees it easily.

Disallow file editing:

Prohibit this so that even after obtaining admin access for WP dashboard the hacker cannot modify files.

Connect the server correctly:

Connect server only with SSH or SFTP. SFTP is better than FTP because of its security features.

Set directory permissions carefully:

With shared host, error in directory permissions might be fatal. Secure site at hosting level by changing permissions. Set 755 for directory permission and 644 for file permission. This protects complete file system.

Disable directory listing with .htaccess:

Do this by adding ‘Options All –Indexes in .htacess file.