What about Jetpack? Doesn’t it offer the same functionality?
The top entry is good. It is probably from your Sucuri plugin if you or your security guy didn’t put it there yourself. I also am recovering from a hack. Mine has the same entry plus one more. I found your post trying to answer the same question for myself.
* Don’t forget to check your file permissions!
<Files *.php>
deny from all
</Files>
<Files wp-tinymce.php>
allow from all
</Files>
<Files ms-files.php>
allow from all
</Files>
