Add the following code to your .htaccess file or into your apache vhost config so that some things will be blocked

#block wp-config.php

order allow,deny
deny from all

#block wp-login.php

order deny,allow
deny from all
#optionally add ips that you want to allow from
#Allow from 10.

#block xmlrpc.php another way to login

order deny,allow
deny from all
#optionally add ips that you want to allow from
#Allow from 10.

#block author lookup (used by hackers to get your username)
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* /index.php?error=403 [L]

#block includes

RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]