Some example rules for CloudFlare firewall: https://developers.cloudflare.com/firewall/cf-firewall-rules/fields-and-expressions
(http.request.uri.path contains "/wp-content/" and http.request.uri.path contains ".php") or (http.request.uri.path contains "/wp-includes/" and http.request.uri.path contains ".php") or (http.request.uri.path eq "/xmlrpc.php") or (http.request.uri.path contains "wp-config")
(http.request.full_uri contains "<?php") or (http.cookie contains "<?php") or (http.request.full_uri contains "../") or (http.request.full_uri contains "..%2F") or (http.request.uri contains "/autodiscover/") or (http.request.uri contains "/wpad.") or (http.request.full_uri contains "webconfig.txt") or (http.request.full_uri contains "vuln.") or (http.request.uri.query contains "base64") or (http.request.uri.query contains "<") or (http.request.uri.query contains "%3C") or (http.request.uri.query contains "%3c") or (http.request.uri.query contains "¼script¾") or (http.cookie contains "<script") or (http.referer contains "<script") or (http.request.uri.query contains "$_GLOBALS[") or (http.request.uri.query contains "$_REQUEST[") or (http.request.uri.query contains "$_POST[") or (http.request.uri.path contains ".env") or (http.request.uri.path contains "passwd") or (http.request.uri.path contains ".key") or (http.request.uri.path contains ".ini") or (http.request.uri.path contains ".inc") or (http.request.uri.path contains ".bak") or (http.request.uri.path contains ".config") or (http.request.uri.path contains ".conf") or (http.request.uri.path contains ".backup") or (http.request.uri.path contains ".svn") or (http.request.uri.path contains ".git") or (http.request.uri.path contains ".xsd") or (http.request.uri.path contains ".gitignore") or (http.request.uri.path contains "php-bak") or (http.request.uri.path contains "union%20select") or (http.request.uri.path contains "eval-stdin.php") or (http.request.uri.path contains "env.example")
Example allow login only from Finland
(http.request.uri.path contains "wp-login" and ip.geoip.country ne "FI") or (http.request.uri.path contains "wp-admin" and ip.geoip.country ne "FI")