I would like to lock down access to all the non-public facing parts of a WordPress self-hosted site to minimize the impact on the server from consistent random login requests and attempts to access other parts of the install such as the wp-config file.
The best approach I can see is to use Cloudflare Access to verify all legitimate login requests with a third-party verification service before passing the request to the server and rejecting all other nefarious requests. The limitation within Cloudflare Access is the ability to use wildcards in the path allowing all requests for /wp-admin/* through the verification service. Is there a way of combining Cloudflare firewall rules with Cloudflare Access to force the external verification of all traffic trying to login to the site whilst rejecting nefarious attempts to get to the wp-config file immediately? If so, which product takes precedence in the process (i.e. can I block all access to wp-admin within the firewall and then allow access through Cloudflare Access)?
If this is not the best approach, is there another method that would be recommended for offsiting the firewalling and verification before it hits the server?
Many thank in advance!