Secure Apache WordPress Root Directory using your Apache vhost config file instead of .htaccess by using this RegEx for file-name exclusions' i.e. (wp-activate|wp-mail|wp-signup) and {wp-} for all WordPress root files' starting with {wp-}.

Excluding wp-activate.php, wp-signup.php and wp-mail.php from Apaches' FileMatch denied 403 Forbidden Access response.

<Directory /var/www/wordpress/>
	<FilesMatch "(?!.*(?:wp-activate|wp-signup|wp-mail))(wp-(.*)|xmlrpc)\.php$">
		Require all denied
	</FilesMatch>
</Directory>

Excluding none (the word none is just RegEx place holder) from Apaches' FileMatch denied 403 Forbidden Access response.

<Directory /var/www/wordpress/>
	<FilesMatch "(?!.*(?:none))(wp-(.*)|xmlrpc)\.php$">
		Require all denied
	</FilesMatch>
</Directory>