As there are a limited number of page rules included in each plan, only 3 for the free plan, one always has to make a compromise between what we want and the limit we have, and set priorities.
If you don’t mind buying more page rules, this article lists several that may help a Wordpress website.
As for the wp-login.php page, are you sure you need to bypass cache? I don’t think so. I don’t think CF caches wp-login,php, even when under Cache Everything page rule. You might want to check whether your page caching plugin isn’t caching the wp-login.php page. I use WP Super Cache, and it has a list of exceptions you can add to avoid caching certain pages. And if you only want to add protection to the login page, there are other options.
If you are the only person using the admin area, you can have your wp-login.php page and your /wp-admin/ area protected by Access Policies. You can have up to 5 users accessing Access Policy-protected areas of your websites for free.
If your website has many users, you can set the protection for wp-login.php using a Firewall Rule:
(http.request.uri.path eq “wp-login.php”) then: JS Challenge (afaik, this is equivalent to the “I’m under attack” setting elsewhere)
You could then merge both rules that are setting “Cache Level: Cache Everything” into one, freeing up one PR to be used with /wp-json/. This one is needed, afaik, because Cloudflare will cache /wp-json/ and make plugins that depend on it to stop working properly (such as the Redirection and Simple History plugins)