Summary
Web hosting companies are in trouble with the huge amount of requests coming to xmlrpc.php and wp-login.php endpoints of Wordpress sites that they host. This usually leads to cpu load spikes and reduced server performance.
Why these files / URLs are targeted?
While xmlrpc.php and wp-login.php get the most request hits, they are serving different goals.
wp-login.php is the endpoint where user credentials are posted when someone tried to login to the website. So, it is the main file that gets bombarded with dictionary attacks or commonly used username / password combos such as "admin" & "123456".
Tons of bots from all over the internet check if it is a Wordpress site and try to login from this well known URL. Their main goal then is to fill the web site with spam posts containing their links.
xmlrpc.php on the other hand allows remote updates to WordPress from other applications. So, it makes it very appealing for attackers. If they can breach this and use XMLRPC to update the website remotely, they can once again fill the website with all sorts of posts, manipulate all the content inside and lots more...
What can be done to reduce the impact of bot requests?
xmlrpc is not used on most websites. So it can be disabled by adding this one-line code to your theme's functions.php
add_filter('xmlrpc_enabled', '__return_false');
Or, less advanced users can prefer to disable it via plugin.
wp-login.php can not be disabled as easy as xmlrpc but there are plugins that rename this file using htaccess rules which solves the problem. My preferred plugin for this is to use WP Hide and Security plugin. You can easily change the login url of a Wordpress website. It adds an extra security layer and reduces the number of bot hits to wp-login.php
Solutions for web hosting company professionals
If you are on the hosting side and can not directly alter your customers' wordpress sites, you can use CloudFlare to utilise their WAF rules or can use Modsecurity rules to count number of requests to these urls and ban them using CSF if there are certain number of requests in a certain period of time.
