After protecting the Login page, WordPress has some other places that should be protected. Not all of them are security related, some are just nuisance requests to valid and invalid items that are included in automated scans.
As part of my standard deployment of a site I use a custom Cloudflare rule to protect WordPress. With this rule I can protect PHP execution from unnecessary location, stop brute force attacks, limit comment SPAM and more.