I have configured CloudFlare some time ago with firewall rules as the following:
(http.host contains "secureserver.net") or (http.host contains "cloudwaysapps.com") or (http.host contains "googleusercontent.com") or (http.host contains "vps.ovh.net") or (http.host contains "bluehost.com")
These are the most common hostnames that appear in logs of login attempts to my WP website. They all usually hit /wp-admin/admin.php page. I had really peaceful time for a long time thanks to CloudFlare. However those rules suddenly stopped to work for whatever reason and I am not able to identify why. I started to receive logs (on my server, NOT CloudFlare) about login attempts using those hosts, especially the ones coming from `secureserver.net’ (the full host name is p3nlhg1262.shr.prod.phx3.secureserver.net but it differs with the time as I believe those are different VPS instances from secureserver.net).
I Must mention that I have another domain using cloudflare firewall with the same settings for hostnames and its all good there. Login attempts get blocked. i can see those blocked requests on cloudflare Firewall Dashboard. I see no logs on my server whatsoever, so it means it works properly. I tried comparing those rules with the domain I am having problem with and I can spot no differences.
Is there something wrong with those rules? Does anybody have any idea how to approach this problem?