Blocking by IP is a chore and could possibly block legit viewers. i.e. even if you don't block ~39K IPs and block "ranges" instead, you'll still find yourself endlessly updating your htaccess file. Also keep in mind that Apache processes the htaccess file every HTTP request so you don't want it to be too large.
Although you could still block the more troublesome IPs too, IMHO for post SPAM it's much better to use other methods such as CAPTCHA, Flood control, word/phrase blacklisting, and checking for links.
As for file access, keep files containing sensitive info outside of the webroot, make sure your folder/file permissions are set to as restrictive as possible, and don't use the default structure/naming where you have the option to use different.
I think if you do everything here you should be OK