Unable to filter Ahrefs Bot via firewall rules

My site is https://www.tshirtmy.com.

I had turned on cloudflare, in theory all traffics are supposed to go to cloudflare before entering server.
I had setup firewall rules to block all countries except Malaysia, it works for most cases except 1 bad bot named “Ahrefs” .
Semrush and others are easy to be filtred off by clloudflare firewall rules.
But Ahrefs cannot. No effect at all.
Seems like Ahrefs bot can bypass cloudflare and hit server directly !!
I tried all methods like block IPs range of Ahrefs bot used (54.36.0.0/16) - no effect in cloudflare
I tried block all countries except malaysia - also Ahrefs bot can get through.
block by hostname, url , user agent all tried, unsuccessful for Ahrefs, but successful for others.

Finally I enter same iP range 54.36.0.0 - 54.36.255.255 in cpanel IP blocker, it blocked Ahrefs bot access to website but still it already hit server, so the cpu usage is still at its peak !!

If this can be blocked at cloudflare level then the server is safe.
Unfortunately Ahrefs bot can bypass cloudflare, hit server directly.
Any idea or advise please ?

Ahrefs bot hit server every second / minute using ip range 54.36.0.0 - 54.36.255.255 and unable to be blocked with cloudflare using any methods. Now the blocking is via cpanel ip blocker. server responded 403. But if it keeps on hitting, I will be out of bandwidth soon !!

See log :

54.36.150.83 - - [13/Jun/2019:15:44:27 +0800] “GET /product-tag/white/?filter_color=black,red,navy,magenta,white HTTP/1.1” 403 246 “-” “Mozilla/5.0 (compatible; AhrefsBot/6.1; +http://ahrefs.com/robot/)”
54.36.150.182 - - [13/Jun/2019:15:44:47 +0800] “GET /product-tag/maroon/?filter_color=magenta HTTP/1.1” 403 232 “-” “Mozilla/5.0 (compatible; AhrefsBot/6.1; +http://ahrefs.com/robot/)”
54.36.148.79 - - [13/Jun/2019:15:45:07 +0800] “GET /product-tag/yellow/?filter_color=white,magenta,purple HTTP/1.1” 403 243 “-” “Mozilla/5.0 (compatible; AhrefsBot/6.1; +http://ahrefs.com/robot/)”
2001:d08:df:ea3d:75b9:e7ec:7098:4dc3 - - [13/Jun/2019:15:45:23 +0800] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 67 “https://www.tshirtmy.com/wp-admin/plugins.php” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36”
54.36.149.98 - - [13/Jun/2019:15:45:39 +0800] “GET /product-tag/magenta/?filter_color=navy,magenta,sea-blue,red HTTP/1.1” 403 245 “-” “Mozilla/5.0 (compatible; AhrefsBot/6.1; +http://ahrefs.com/robot/)”
2001:d08:df:ea3d:75b9:e7ec:7098:4dc3 - - [13/Jun/2019:15:45:54 +0800] “GET /wp-admin/plugins.php?action=deactivate&plugin=blackhole-bad-bots%2Fblackhole.php&plugin_status=all&paged=1&s&_wpnonce=acbb2dfe2f HTTP/1.1” 302 - “https://www.tshirtmy.com/wp-admin/plugins.php” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36”
54.36.150.144 - - [13/Jun/2019:15:46:05 +0800] “GET /product-tag/pink/?filter_color=black,purple,magenta HTTP/1.1” 403 243 “-” “Mozilla/5.0 (compatible; AhrefsBot/6.1; +http://ahrefs.com/robot/)”
2001:d08:df:ea3d:75b9:e7ec:7098:4dc3 - - [13/Jun/2019:15:46:00 +0800] “GET /wp-admin/plugins.php?deactivate=true&plugin_status=all&paged=1&s= HTTP/1.1” 200 41076 “https://www.tshirtmy.com/wp-admin/plugins.php” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36”
2001:d08:df:ea3d:75b9:e7ec:7098:4dc3 - - [13/Jun/2019:15:46:08 +0800] “GET /wp-content/plugins/facebook-for-woocommerce/assets/js/facebook-infobanner.js?ts=1560411964&ver=4134c2e4a398b8b07e3cfd601cd4f0e6 HTTP/1.1” 200 540 “https://www.tshirtmy.com/wp-admin/plugins.php?deactivate=true&plugin_status=all&paged=1&s=” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36”
2001:d08:df:ea3d:75b9:e7ec:7098:4dc3 - - [13/Jun/2019:15:46:06 +0800] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 67 “https://www.tshirtmy.com/wp-admin/admin.php?page=WordfenceWAF&subpage=waf_options” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36”
54.36.150.101 - - [13/Jun/2019:15:46:25 +0800] “GET /product-category/uniform-shirt/t-shirts/honey-comb/?filter_color=royal-blue,white,sea-blue HTTP/1.1” 403 261 “-” “Mozilla/5.0 (compatible; AhrefsBot/6.1; +http://ahrefs.com/robot/)”
2001:d08:df:ea3d:75b9:e7ec:7098:4dc3 - - [13/Jun/2019:15:46:23 +0800] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 103 “https://www.tshirtmy.com/wp-admin/plugins.php?plugin_status=all&paged=1&s” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36”
54.36.149.9 - - [13/Jun/2019:15:46:46 +0800] “GET /product-tag/white/?filter_color=navy,white,sea-blue HTTP/1.1” 403 240 “-” “Mozilla/5.0 (compatible; AhrefsBot/6.1; +http://ahrefs.com/robot/)”
54.36.150.189 - - [13/Jun/2019:15:47:05 +0800] “GET /product-tag/magenta/?filter_color=navy,ash-grey,black HTTP/1.1” 403 244 “-” “Mozilla/5.0 (compatible; AhrefsBot/6.1; +http://ahrefs.com/robot/)”
2001:d08:df:ea3d:75b9:e7ec:7098:4dc3 - - [13/Jun/2019:15:47:09 +0800] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 65 “https://www.tshirtmy.com/wp-admin/admin.php?page=WordfenceWAF&subpage=waf_options” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36”
2001:d08:df:ea3d:75b9:e7ec:7098:4dc3 - - [13/Jun/2019:15:47:08 +0800] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 67 “https://www.tshirtmy.com/wp-admin/plugins.php?plugin_status=all&paged=1&s” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36”
2001:d08:df:ea3d:75b9:e7ec:7098:4dc3 - - [13/Jun/2019:15:47:42 +0800] “GET /wp-admin/admin.php?w3tc_default_config_state_note=y&key=common.show_note.plugins_updated&value=false&page=w3tc_dashboard&_wpnonce=f42b5ea891 HTTP/1.1” 302 - “https://www.tshirtmy.com/wp-admin/plugins.php?plugin_status=all&paged=1&s” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36”
2001:d08:df:ea3d:75b9:e7ec:7098:4dc3 - - [13/Jun/2019:15:47:51 +0800] “GET /wp-admin/plugins.php?plugin_status=all&paged=1&s= HTTP/1.1” 200 40645 “https://www.tshirtmy.com/wp-admin/plugins.php?plugin_status=all&paged=1&s” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36”
54.36.150.35 - - [13/Jun/2019:15:47:58 +0800] “GET /product-category/uniform-shirt/?filter_color=black,navy,sea-blue HTTP/1.1” 403 249 “-” “Mozilla/5.0 (compatible; AhrefsBot/6.1; +http://ahrefs.com/robot/)”
2001:d08:df:ea3d:75b9:e7ec:7098:4dc3 - - [13/Jun/2019:15:47:58 +0800] “GET /wp-content/plugins/facebook-for-woocommerce/assets/js/facebook-infobanner.js?ts=1560412076&ver=4134c2e4a398b8b07e3cfd601cd4f0e6 HTTP/1.1” 200 540 “https://www.tshirtmy.com/wp-admin/plugins.php?plugin_status=all&paged=1&s=” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36”
2001:d08:df:ea3d:75b9:e7ec:7098:4dc3 - - [13/Jun/2019:15:48:10 +0800] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 67 “https://www.tshirtmy.com/wp-admin/admin.php?page=WordfenceWAF&subpage=waf_options” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36”
2001:d08:df:ea3d:75b9:e7ec:7098:4dc3 - - [13/Jun/2019:15:48:59 +0800] “POST /wp-admin/admin-ajax.php HTTP/1.1” 200 67 “https://www.tshirtmy.com/wp-admin/plugins.php?plugin_status=all&paged=1&s” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 Safari/537.36”

Assuming the following is your website it appears your server is responding to requests other than from Cloudflare

If this is the case any Cloudflare blocks can never fully take effect, as the client can simply contact your server directly. You’d want to lock down your server so that it only responds to requests from Cloudflare IP addresses (https://www.cloudflare.com/ips/)

if you make a ping tshirtmt.com - cloudflare’s ip is responding to it, not the server’s ip. See the ip resolvation below.

and also the cloudflare dns settings are all correctly assigned to cloudflare

That was not my point. My point was that your server responds and in doing so you cannot fully rely on Cloudflare’s settings as someone can simply circumvent Cloudflare.

Any idea how to tell my server to stop responding to request and let cloudflare handles it ? I thought by assigning all records to cloudflare, all traffic will arrive in cloudflare first before redirecting to server.

Thats a question for whomever maintains your server. Typically this is done on a firewall level.

thanks for you kind answer. I will ask the host support and see what they can do for me.