The htaccess examples already cover things like the error log and the backups directory.
File attachments should also be added to this list, so that all access to the attachments can be funnelled through PHP without any way to sneak around it.
This would be a good improvement so +1 though I use nginx so I'd have to write an nginx rule for it (might do that actually), the only real issue is that attachments are /uploads/yyyymm and the folders keep changing so you'd have to update the .htaccess and/or nginx config monthly, the file names on disk are randomized so it'd take a long time to bruteforce the file names. Simple rate limiting would make any attempt worthless. Again good suggestion - difficult to implement (without a long upgrade script (to add an extra subfolder for attachments to make rules easier) that would be painfully slow for old sites with 10,000s of attachments).
Attachments all have a .attach file extension, so you could match them by extension.
Ideally, MyBB would move them into some sort of attachments folder.
Edit: As for an upgrade script, moving files is pretty fast on my home computer when I move things a folder at a time, even if it has gigabytes of data, it only takes ten minutes at most. Unfortunately, PHP isn't very tolerant of things which take more than a minute, otherwise... Grab a drink while it moves the stuff?
Another option is to rename uploads to attachments and to move the avatar folder up one.