Thank you!
1. I absolutely agree. I usually add code in .htaccess file (actually in Directory block on .config) to prevent it. But since the article serves as a checklist I didn't insert any codes here.
2. Good catch. I used to do it all the time, but since we create WordPress sites from scratch we just don't install anything extra and actually try to avoid using third-party plugins and themes, so I just forgot to mention it :)
Although, I see that many developers recommend keeping at least one and the latest default wp theme just in case of security issues.