Hi a question the DDOS protection rule should it be inserted on the entire website (domain) or only on the domain / wp-admin or wp-login?
My domain is:
How about starting with the below:
Kindly see more by reading Cloudflare articles which contain a lot of helpful information for better understanding and usage as well in terms of Security and Protection:
Since you’re using WordPress, I’d like to share two of my posts containing multiple things related to your question.
Combining them into few Firewall Rules, you can get what you need for the best possible security & protection of your WordPress instance
We can use Cloudflare Access / Zero Trust (Teams):