Someone has been attacking our web server all day using a botnet, trying to find user credentials by bashing guesses using xmlrpc authentication attempts.

     If you are running a WordPress site and do not need pingback or other xmlrpc capabilities, I strongly recommend installing a plugin that disables xmlrpc.  You can find one by typing that into the new plugin search box in WordPress.

     I also strongly suggest installing wp-fail2ban if you have a WordPress site.  This will cause your site to log these attempts.  We have software on our server that will then use this to disable connections from the IP addresses probing for passwords.