Banning IP when using Cloudflare

Hello,

I have a question regarding banning IPs at server level vs application level.

If the website is using Cloudflare, then the IPs of visitors inside .htaccess will be those of Cloudflare IPs. In such cases, wouldn’t this mean that banning IP at server level is pointless?

Is there a way to tell the iThemes Security to only ban IPs with application level using PHP?