Hackers are using the XML-RPC function in WordPress for DDoS botnet attacks as well as Brute Force attacks.
What is XML-RPC?
The XML-RPC function was originally designed to be used an intranet notification system for WordPress users. But few use it anymore due to spam.
Now it is being used primarily as a way to remote post to WordPress from mobile.
Some plugins and third-party applications use XML-RPC to deliver content from their servers to your site.
Do I need WordPress XML-RPC?
Most users don’t need WordPress XML-RPC functionality, and it’s one of the most common causes for exploits.
Some clients such as the official WordPress Mobile Apps and Blogger use XML-RPC requests to function.
All of the WordPress XML-RPC requests are remote POST requests to the xmlrpc.php script.
A full list of the different requests that can be made via XML-RPC can be found at XML-RPC WordPress API
Block WordPress xmlrpc.php requests with Disable XML-RPC Plugin
This plugin disables XML-RPC API in WordPress 4.5+, which is enabled by default.