We used to prohibit access to WordPress admin by using this below in our .htaccess file:
# BEGIN PROTECTION wp-login.php
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
</Files>
# END PROTECTION wp-login.php
Using Cloudflare it do not work: I get a 403 error (forbidden)…
I looks like your .htaccess code could be blocking Cloudflare.
Since Cloudflare acts as a reverse proxy, when it’s configured as expected, all connections to your origin webserver come from Cloudflare’s IP addresses, and that may or may not be a problem for you:
If your web application is using the originating IP of the visitor as part of its logic, it will now use a Cloudflare IP address
If you use the content of your access logs, they now contain a Cloudflare IP address as the $remote_addr
Depending on your setup, you can restore the visitor IPs in a number of ways. You can find a complete list here, or below are a few of the most popular: