I have @Cloudflare Access setup to protect a client’s WordPress Admin login and restricted the server to only receive traffic from their IPs. I woke up one morning to a load of login attempt notifications. Turns out they were using xmlrpc.php for the attempts to bypass wp-admin