Non-broadcast SSID is not a security feature and will not protect a network. There are no best practices that attempt security via obscurity.
It is my understanding that filtering by MAC address on OpenBSD can only be performed on bridge(4) interfaces. Since bridge interfaces are passed through pf(4) filters twice -- once on input, and once on output -- you may block unwanted MAC address traffic either in, or out, or both directions. Filtration must be done by tagging the Ethernet frames. See the Tagging section of the PF User's Guide here:
http://www.openbsd.org/faq/pf/tagging.html
WEP encryption is considered broken by the industry and should not be used for secure communication.
WPA/WPA2, if supported by your network device, is the preferred best practice for secure 802.11 communications.
Alternatives to WPA to consider may include ipsec(4) and authpf(8), or combinations.