It's my belief, though it's very difficult to test, that BotBlockX stops a lot of those kinds of things by simply blocking anyone who's hammering the site with many requests in a short time, though I suppose the smarter bots are cycling though a long list of sites so the requests on a given site are spaced out.
I've also got a lot of specific files listed in .htaccess and toss anyone who's looking for them before they get to index.php.
RewriteCond %{REQUEST_URI} reflect [NC,OR]
RewriteCond %{QUERY_STRING} reflect [NC,OR]
RewriteCond %{REQUEST_URI} ^\/scripts [NC,OR]
RewriteCond %{REQUEST_URI} ^\/apps [NC,OR]
RewriteCond %{REQUEST_URI} password_forgotten [NC,OR]
RewriteCond %{REQUEST_URI} forgot_password [NC,OR]
# etc.
RewriteRule .* - [F,L]
I've also got a bunch of these:
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]