Forbidden vs Not Found
Don't just block access to your config files, hide them all together. When an attacker or robot is scouring your website looking for vulnerabilities and finds a wp-config.php file that is forbidden then they still learn that they are dealing with a wordpress install. It might take them a bit longer to attack your site, but they will know a bit about what they are attacking. However if you instead return 404 File Not Found for any config files gleaned for you might be able to throw them off the scent.
RewriteRule ^(.)config(.)\.php$ $1config$2\.php [R=404,L]
This code can be put in your .htaccess file and will match any file that has the word config in it and the extension of .php; so this will return 404s for all php config files not just wordpress config files.