XMLRPC or WP-Login: Which do Brute Force Attackers Prefer Wordfence blog has an article discussing common attack methods in brute-forcing WordPress login attempts: https://www.wordfence.com/blog/2017/01/xmlrpc-wp-login-brute-force/