I identified xmlrpc.php
traffic not as spamers, but actually as a hackers, potential security problem by using "WPS Hide Login" & "WPS Limit Login" plugins.
First plugin crippled automated attacks ability to access wp-login.php
, so attacks disappeared.
Second plugin log later revealed that login brute force attack are moved to xmlrpc.php
. As XML-RPC protocol is an old API which is expected to be soon removed from WordPress API, there is/was no harm (for me) to disable it completely.
PROBLEMS
But the problem is NOT ONLY login or XML-RPC, REAL source of the problem is WordPress site leaking registered user names, including administrator user names ! That gives hackers half of login problem solved: username. Great opportunity for automated scripts to start scanning WP sites.
I noted having login attack just after creating new site. How did they find the site so quickly? Somehow/somewhere, every new "Lets Encrypt" certificate is publicly available, so attacks will often begin just after creating site & certificate. Before you installed security plugins!
MY SOLUTIONS