The list of things to do to harden a WordPress site with Apache is long, but some things that could be done include:
FileETag None
<Files wp-config.php>
Require all denied
</Files>
<Files xmlrpc.php>
Require all denied
</Files>
<LocationMatch "/wp-content/uploads/.*(?i)\.php$">
Require all denied
</LocationMatch>