One of the common steps taken to secure a WordPress installation is to restrict access to wp-login.php using .htaccess rules. This restricts who can login to the website by specifying which networks can and blocking everything else.
For example, this would restrict access to wp-login.php for all networks except for 220.127.116.11 and 18.104.22.168
order deny, allow deny from all allow from 22.214.171.124 allow from 126.96.36.199
But this won’t work when the website is connected through CloudFlare – as all requests will be coming through the CloudFlare network.
Instead, you can use the following
SetEnvIf X-FORWARDED-FOR 188.8.131.52 allow SetEnvIf X-FORWARDED-FOR 184.108.40.206 allow order deny,allow deny from all allow from env=allow