I had setup Cloudflare as a WAF and we have proxied our webservers address to CF.
With all the security turned on we had expected cloudflare to stop login attempts.
We even added some firewall rules to stop “wp-admin” and so on in the URI and still no joy.
iThemes on the WP web server still produces “Site Lockout Notifications”. for user tried to login as “admin.” Now from Cloudflare servers.
Has anyone else had this experience?