Why all the vulnerability scanners not getting blocked?

every day I am getting all this scanners that should be easily blocked keep scanning my site, I am not sure if its some rule that I disabled or they not getting blocked?

I see urls like:

/wp-includes/wlwmanifest.xml
/xmlrpc.php?rsd
/cms/wp-includes/wlwmanifest.xml
/wp-config.php~
/wp-config.php_bak
/wp-config.php.original
/wp-config.php.orig
/fckeditor/editor/filemanager/connectors/php/upload.php?Type=Media
/vendor/phpunit/phpunit/build.xml
administrator/help/en-GB/toc.json
/plugins/system/debug/debug.xml
/administrator
/wp-json/wp/v2/users

it happens every day for lots of time now
we need Cloudflare Honeypot project to catch and just block them they usually using virtual machine services

If I recall correctly, you may need to purchase a plan that includes the WAF (Web Application Firewall) if Project Honeypot isn’t doing as much as you would like to. Or you could create a firewall rule.