If you afraid of malicious users and malwares that target port 1433, you can publish your SQL Server on a different port.
First, start SQL Server Configuration Manager, then navigate to the SQL Server Network Configuration –> Protocols for [instance neve] –> TCP/IP branch, and open the Properties dialog (click for the full image):
On the second, IP Addresses tab you can configure the IP addresses and ports your database server instance is listening, and for example you can move it to port 8765:
Obviously, you have to open this port on the firewall for inbound connection. If you don’t want to hardcode the port number into the firewall rules, you can create a firewall rule for the SQL process itself. Start Windows Firewall with Advanced Security then create a new Inbound Rule by clicking New Rule… on the right pane. Here’s the trick: create a rule for a Program, and not for a port:
Then specify the full path of the sqlservr.exe of your SQL Server instance:
There’s nothing new on next steps, just create the rule as usual.
But, if your server is listening on a non-default port, how will your clients know which port should they connect to? That’s the purpose of the SQL Browser Service, that can tell the clients the dynamic port numbers of the instances. However, if you publish your SQL Browser Service, anyone could query the port numbers, so moving the instances to other ports wouldn’t make any sense. The only solution is to explicitly specify the port number during the connection. Note that the syntax is a bit special, you should use a comma, instead of the usual colon:
Specifying the port number seems inconvenient, however you have to do it only for remote connections. Behind the firewall you can freely run your SQL Browser Service, so applications (websites) running on the server will be able to find the right SQL instance without hardcoding the port number into their connection strings.