Hi,
You can block these requests via a Vercel WAF rule: WAF Custom Rules
For example you can create a rule that blocks or challenges traffic using the contains “.php”:
We wouldn’t be able to design these exact queries for you, but it should be relatively simple using the above example to create a custom rules for each unwanted file type/request.