Looks like my host “fixed” their server. Instead of showing Cloudflare’s IP, it now shows the client’s IP.

That means if you get the IP of the server, you can easily bypass Cloudflare’s firewall. Yes, I could put my IP in the .htaccess instead. But then I have to remember to update that file, and Cloudflare.

So perhaps the bots can hammer wp-login.php now.

No idea if they only allow Cloudflare connecting IPs for sites using Cloudflare. Doing so by the firewall, could be hard. As that might apply to the entire server, and all sites, including those not using Cloudflare.

I’ll keep the workaround in my wp-config.php file, according to a simple PHP file to echo the IP address, it is indeed showing my IP now, so that workaround probably isn’t needed anymore.

That will make the stats show actual IP addresses though, instead of Cloudflare IP addresses.

Since it’s shared hosting, they can fix the bots hammering wp-login.php right?

And it looks like I need to email them. They changed my PHP version again. WordPress told me. Fucking annoying. I don’t want old PHP.

Hmm, if the server gets hacked because they changed my PHP version, it isn’t my fault right?

Hopefully what you use doesn’t require a newer PHP, as then your site will be dead, until you manually change it back.