Hi Mahtab, I can’t help with your question directly, but can I suggest a couple of things.   First, can you post details of your setup? Your OS, Web Server (Apache, IIS etc) , db and Moodle version.  This would be needed to give any real advice as to how to protect your web server.

Secondly, I believe your basic web server must allow people to read the files so they can be displayed properly but this should not be a security concern as this should only contain the basic Moodle install files.  There are four things you need to be sure off,

1. Make sure your documents data directory is not contained within the web directory, that way a scan will not provide any real files.  
2. Make sure your web server will not issue out *.ini files. By default most web servers will not.
3. Make sure you are using the latest release of whichever version of Moodle you are using.  If you have an old version a scan may reveal a known vulnerability (should not be an issue for you with a new site). And
4. Make sure you have patched your web server.

With the details of which web server you are using some other people may be able to give more detailed advice. 

No - it isn't possible. Somebody using wget has no less access than somebody using the site through a browser window.

If you have set up your site in such a way that anybody can access anything (which is certainly not the default) then that would be what you wanted to happen, surely?

If it is simply a nuisance (i.e. using bandwidth you pay for) there are plenty of ways of blocking IP addresses but that isn't a Moodle issue. You need to look at options for controlling access to the webserver (e.g. some people block whole countries).