It appears to me that vercel writes the requests to the logs even if the requests return 403 forbidden. That confused me a bit, but they are being denied even though the requests are logged.

At this point I have set up this configuration in the vercel firewall.

Rule 1 RequestPath --> MatchesExpression --> .php$|.php7$

Rule 2 RequestPath --> MatchesExpression -->(wp-content|wp-admin|wp-login|cgi-bin|wp-includes|wp-trackback|wp-feed|.well-known)

I did it this way because the logs show the bots looking for urls like site/wp-content/ or site/wp-includes/ without a php extension just a trailing slash

Today I had 1,000 requests denied with this setup so it seems to be working pretty well.

JA4 Digest requests are next on the menu.