I wouldn’t bother with the readme file as probably no hacker bothers to check your WP version before trying to hack into the site.
Will not bother with anything in /wp-includes and /wp-admin because I trust the core team to make that code secure in the default installation, and those file don’t contain any information which is specific to my site.
The files to protect are wp-config.php, because it contains DB access details and the /wp-content directory because theme and plugins developers are not very good at security.
for wp-config just deny access in your .htaccess
<files wp-config.php>
order allow,deny
deny from all
</files>
for /wp-content/plugins and /wp-content/theme deny access for anything which is not animage,js or css file by adding an .htaccess there with the following content. If a plugin or theme does not work with this configuration they probably don’t follow WP coding guidelines and it might be better not to use them.
<Files ^(*.jpeg|*.jpg|*.png|*.gif|*.js|*.css)>
order deny,allow
deny from all
</Files>
for /wp-content/uploads you can’t realy deny access as you don’t know which type of files will be uploaded there, so the best thing to do there is to simply not to allow the execution of php,perl,pyton at that directories and serve them as plain text with the following rules
<FilesMatch "\.(php|pl|py|jsp|asp|htm|shtml|sh|cgi)$">
ForceType text/plain
</FilesMatch>
Once you are satisfied, you should probably combine everything to one .htaccess at root for better performance