Secure WordPress using Cloudflare Firewall
Secure your site and block attacks before they even reach your web server using Cloudflare firewall rules. On the Cloudflare free plan, Cloudflare grants you five firewall rules that are empty by default.
Whitelist Your IP Address
Before you implement any firewall rules, you should first whitelist your own IP. This way you won’t be affected by the firewall rules.
(ip.src eq x.x.x.x)
Block wp-login.php Attacks
This is by far the most common attack on WordPress installations. These are usually automated scans which do not pose a big threat, but you can still block them off.
(http.request.uri.path contains "/wp-login.php")
Block xmlrpc.php Attacks
After wp-login.php, xmlrpc.php is the second most common attack target. It can be disabled completely, but XML-RPC has legitimate uses, such as posting from a mobile/tablet.
(http.request.uri.path contains "/xmlrpc.php")
Protect the wp-admin Area
(http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php")