Secure Apache WordPress Root Directory using your Apache vhost config file instead of .htaccess by using this RegEx for file-name exclusions' i.e. (wp-activate|wp-mail|wp-signup) and {wp-} for all WordPress root files' starting with {wp-}.
Excluding wp-activate.php, wp-signup.php and wp-mail.php from Apaches' FileMatch denied 403 Forbidden Access response.
<Directory /var/www/wordpress/>
<FilesMatch "(?!.*(?:wp-activate|wp-signup|wp-mail))(wp-(.*)|xmlrpc)\.php$">
Require all denied
</FilesMatch>
</Directory>
Excluding none (the word none is just RegEx place holder) from Apaches' FileMatch denied 403 Forbidden Access response.
<Directory /var/www/wordpress/>
<FilesMatch "(?!.*(?:none))(wp-(.*)|xmlrpc)\.php$">
Require all denied
</FilesMatch>
</Directory>