Why not just disable comments and registration?
This comes to mind also:
(Redirect all requests to login page or admin pages to homepage. A little irreversible.)
$currentURL = $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];
if (strpos($currentURL, 'wp-admin' ) or strpos($currentURL, 'wp-login' )) {
header( 'Location: '.site_url() );
}
Caution: this stops you from logging in also.
Edit:
And adaptation of the above code put into plugin format can be found here. Thanks to brasofilo.
Modified code:
add_action( 'init', function()
{
$currentURL = $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];
if( strpos( $currentURL, 'wp-admin' ) or strpos( $currentURL, 'wp-login' ) )
exit( wp_redirect( site_url() ) );
} );