Based on automated requests from attackers, this rule has stopped ~99% of all bad traffic. Add new rule -> "Edit expression" -> Paste -> "Use expression builder" -> Customize

Wishy.gift CloudFlare firewall rule

(http.request.uri.path contains ".php") or (http.request.uri.path contains ".env") or (http.request.uri.path eq "/blog/") or (http.request.uri.path contains "wordpress") or (http.request.uri.path eq "/wp/") or (http.request.uri.path eq "/new/") or (http.request.uri.path eq "/old/") or (http.request.uri.path eq "/test/") or (http.request.uri.path eq "/main/") or (http.request.uri.path eq "/site/") or (http.request.uri.path eq "/backup/") or (http.request.uri.path eq "/home/") or (http.request.uri.path eq "/cms/") or (http.request.uri.path eq "/tmp/") or (http.request.uri.path eq "/dev/") or (http.request.uri.path eq "/old-wp/") or (http.request.uri.path eq "/web/") or (http.request.uri.path eq "/old-site/") or (http.request.uri.path eq "/temp/") or (http.request.uri.path eq "/2018/") or (http.request.uri.path eq "/2019/") or (http.request.uri.path eq "/bk/") or (http.request.uri.path eq "/wp1/") or (http.request.uri.path eq "/wp2/") or (http.request.uri.path eq "/v1/") or (http.request.uri.path eq "/v2/") or (http.request.uri.path eq "/bak/") or (http.request.uri.path eq "/install/") or (http.request.uri.path eq "/2020/") or (http.request.uri.path eq "/new-site/") or (http.request.uri.path contains "wp-admin") or (http.request.uri.path contains "wp-includes") or (http.request.uri.path contains "wlwmanifest.xml") or (http.request.uri.path contains "wp-content") or (http.request.uri.path contains ".git") or (http.request.uri.path contains "phpunit") or (http.request.uri.path contains "/vendor") or (http.request.uri.path contains "editdirect") or (http.request.uri.path contains "/data/admin")