Cloudflare doesn’t do much to stop bots from poking around sites. It’s extremely difficult to tell the difference between a well-crafted bot and a clumsy human.
What firewall rule did you add? I use “Access” to lock down my logins. It will bypass the lock if it’s my home IP address, but will let someone in if they have the right email address to send the code to.
I’ve also used Firewall Rules to block wp-login for anybody out of the country.