We were experimenting with several options in Cloudflare trying to block/rate limit access to wp-login.php – to be very specific.
We have setup Rate Limiting Rules which supposed to block > 10 request per 1 minute. In the past, this seemed to work well. Recently, we also explore ‘Page Rules’ which will send */wp-login.php with Browser Integrity Check enabled and also Security Level I’m under Attack mode.
The later seemed to be in-effect without the Rate-Limiting being checked. So, we are wondering if Page Rules will get higher priority? Is there any where we can see which ones are in effect?
If we disable the Page rules, Rate Limit kicks in. So, it’s kind like picking one and the other inactive now.