Beyond what @sdayman has suggested, what you can do to better your site performance is to monitor all events caught by Wordfence and try to move them to one of the Cloudflare tools, such as Access, IP Access rules and Firewall Rules, so that they are blocked at the cloud, and not at your origin.
For instance, if you see many blocks being applied against an specific IP address, you can create an IP Access rule to challenge visits from that IP. And if you have a list of URLs that Wordfence blocks automatically, you can create a Firewall Rule with those URLs with an action of Block.
Also, one of the factors that made me move away from Wordfence (I now use NinjaFirewall WP Edition) was actually one of its best features, the Live Traffic. It generates (or used to, not sure if they changed that) a sort non-existing URL for their internal use only, but that the gullible Googlebot finds anyway and keeps trying to crawl. Not only this is a waste of origin bandwidth and CPU resources, as each of these URLs will force WP to generate a 404, but it also adds lots of URLs to your Search Console reports, making it more difficult to visualize the actual 404 errors. If I was still using Wordfence, I’d make sure to craft a Firewall Rule to block those URLs.