connection rate limit

As a result, the site was attacked after a couple of hours.

Are you sure this is a targeted attack? Based on what data do you draw such a conclusion? In my experience, there were patients in whom the server generated the main page using an SQL query with many join statements, with a complete lack of caching, with a specific configuration (nginx on windows). The site stopped working with 30 concurrent clients. Naturally, external measures for filtering traffic could guarantee the server's operability only if it was available to a narrow circle of web clients. As a rule, it was difficult to explain this to such people.

Yesterday I connected couldflare, I don’t know if it will help with an ongoing attack

May I help. But, as far as I know, it is possible to find out the ip-address to which cloudflare redirects traffic and direct the attack accordingly. Accordingly, additional security measures are needed on your hosting (prohibit incoming traffic, except for redirected from cloudflare)

http attack - flood. Are there any other ways to protect?

As a networker, I will express my opinion (it is worth considering the professional deformation of the personality). I believe that it makes sense to talk about additional protection measures (hardware solutions, etc.) only if the incoming traffic to the server makes up a significant proportion (50-60%) of the interface bandwidth. I believe that the server, ideally, should be able to handle the line-rate volume of traffic, that is, the volume of traffic that completely utilizes the bandwidth of the network interface. And only after exhausting the possibilities of server optimization, it makes sense to turn to external solutions. Immature optimization in this case, I believe, is harmful. However, given the existence of services like cloudflare, it is useful to use them in some cases (like yours).

I heard about some firewalls, plugins for wordpress (the site is on it

If there are a lot of requests from non-target countries, which happens when a probable attacker buys a cheap botnet, then you can try filtering clients by country using geoIP databases. But be prepared for definition errors. You should also think about caching settings.

Expensive hosting is not yet possible to buy...

Are you using shared hosting? If yes, then consider buying a VPS by setting up caching with cloudflare. This will give you flexibility in settings. Although in rare cases, shared hosting can be more resistant to some attacks than a cheap VPS.
In short - you did what you could (connected the cloudflare service). For further customization, you need to understand many of the nuances of your site. DDoS attacks in your case may not be present. You should think about organizing competent support for your site (hire a system administrator or go deeper in this direction on your own).

Plugins and firewalls without understanding the principles of attack to one place, it will be more effective to go for the cheapest AntiDDoS. If you really want to do it yourself, put ab, hping, etc. somewhere. we check our site ourselves, we look at the loads from which it starts to blunt, what we can tune in the engine and close it on the firewall, along the way, an understanding will appear of what exactly the site is stacking. Http flooding is like a machine, nothing can be said without specifics, but there are a huge number of species.

This is not an attack, this is your advertising company, you want to keep a high load, buy a powerful server and optimize the serverside and code with the base.

"Go for the cheapest AntiDDoS"

Push to key (Power off)

Attack from Google ads? Show the logs, maybe your hosting does not handle more than 30 requests to the database at a time, and WordPress can be very busy

Go to a hosting provider that has a built-in free Anti-DDoS
For example, ruweb.net
Or OVH