Link: Protecting Your WordPress Blog From XML-RPC Brute Force Amplification Attacks16 Oct 2015
To summarize, attackers are taking advantage of a vulnerability in WordPress’s XML-RPC system.multicall method which effectively allows them to issue hundreds of login attempts with a single request. To put it another way, this is an extreme case of brute forcing logins in an attempt to determine your administrative user credentials.
Validate the change as suggested from a comment of the above link (xml-rpc should be disabled):
You can check if XML-RPC is enabled on your site with this tool