I would agree with most everything here, including best practices for htaccess and so forth, but I take issue with the statement "And just an FYI - if you are using secure passwords then you have nothing to worry about since one-way hashed passwords cannot be cracked."
Hashcat with on a workstation with a number of GPU's, can and will crack wordpress passwords, and people do it all the time. Collisions can and will happen. Especially passwords under 8 characters, will only take about an hour or two on a high end machine with multiple GPU's doing the cracking. 8 or more characters take a bit longer exponentially for every character over 8 or more in length.
At a minimum, 14 or more would be more desirable as well as implementing your own form of two factor authentication, or doing as I do and disabling access to wp-login.php and the wp-admin directory via htaccess for anyone other than my own IP.
Still, its not impossible to break, as the algorithm used to create the hash, can have any number of possibilities for the hash itself and its only a time trade off issue as to when, not if, the password can be broken. Type in any word, and do it continually, the hash changes every time. I use this for myself, when I've forgotten the password on systems that don't have the ability to email passwords or no SMTP setup, and I have to manually edit clients sites that need password resets, I can make my own and just paste in whatever this outputs directly to the database file itself and it works - http://www.attack-scanner.com/pass.php
If you are going to block access to indexes, be sure to block access to wp-login.php and wp-admin as well except for your own IP. Its a hassle to update the htaccess file every time your IP changes, but its worth it in my mind. Another alternative, is add htpasswd protection to the wp-admin directory so no one can login, which in some ways, adds a second layer of authentication. Just don't use the same login name and password for both htpasswd and your wordpress login, but that should go without saying.