Add the following code to your .htaccess file or into your apache vhost config so that some things will be blocked
#block wp-config.php
order allow,deny
deny from all
#block wp-login.php
order deny,allow
deny from all
#optionally add ips that you want to allow from
#Allow from 10.
#block xmlrpc.php another way to login
order deny,allow
deny from all
#optionally add ips that you want to allow from
#Allow from 10.
#block author lookup (used by hackers to get your username)
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* /index.php?error=403 [L]
#block includes
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]