AFAIK, wordpress allows direct access to any file. My suggestion for this is to have a constant defined in index.php or somewhere, which must be defined if the file will be loaded.
<?php define('_IN_WP', true); .... ?>
<?php defined('_IN_WP') or die(); .... ?>
I'm not sure if not having this could be a security risk (e.g. wp-includes/somefile.php?SQL-INJECTION-HERE), but it makes sense to prevent files from loading unless WP is loading them internally. Also, you might get people directly accessing files to make them spit out php errors to get a clearer pic of the site structure.