visited http://localhost/

Hello fellows WordPress-ers. or something in those lines.

Anyhow I have this people landing on localhost issue that drives me nuts.
My setup is a bit different meaning I am running on a Azure VM provided by Bitnami and the whole thing is behind Cloudflare.
Cloudflare is set to challenge browsers from a LOT of countries as my target is narrow due to language and I have a .htaccess rewrite rule that redirects everyone that tries to directly access my IP to my domain name – hence CloudFlare. Since that in place my exploit/bruteforce/scan visit dropped to zero. I mean my server was as peaceful as a cow in a sunny meadow in the 10th day of spring. But then the visits to http://localhost/ begun. Not to the amount of what the other attacks were but still showing up. I have tried all kinds of settings on how WordFence gets the IPs – no change. The localhost visits kept coming from countries I have blocked in Cloudflare so they should not be showing up.
Not sure where to go next so I am asking here for any pointers anyone could spare.
Thank you!