We received 673 hits over a 39 minute period. That’s 17 per minute… IP’s are supposed to be blocked after 2 hits per minute. Why isn’t the offending IP being blocked?
I’d add a wildcard * to the end of that URL just in case they’re adding a query string after it.
Also, are you sure their requests are coming through Cloudflare? Some attackers hit the server IP address directly. Which is why I have a server firewall that blocks everything that doesn’t come from a Cloudflare IP address.
We added the wildcard. Hopefully that helps.
When attempting to access the page via IP address, all are redirected to the domain itself.
If an attacker were to find out the IP address, then basically add it to /etc/hosts, they can access your site directly by hostname and won’t get redirected to the domain itself.