You can secure your wp-includes folder too. None of the scripts in that folder have any reason to be accessed directly by any user. So, Hardening WordPress means you should block direct access to resources inside wp-includes folder.
One way to do that is to block those scripts using mod_rewrite in the .htaccess file. Following code is taken from a WordPress support article.
Of course place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. Otherwise they will be overwritten by WordPress itself.
# Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>
This will keep your WordPress website more secured.
