Edit: Solution solved. Nothing to do with Cloudflare.
I’m currently running cPanel/WHM, and have Apache/Nginx installed and now just installed CSF. Unfortunately, CSF is not showing the actual visitors IP address so it isn’t blocking the bad attacks.
Anyway to fix this? Tried searching it up but didn’t get far.