WordPress is also an XML-RPC server. So I guess these bots tried to gain access through the XML-RPC protocol via the xmlrpc.php file in your WordPress root directory.
It’s possible to login and most likely your security plugin is picking up failed login attempts when wp_authenticate() is called and the wp_login_failed hook is activated.
Here’s the relevant part:
/**
* Filter whether XML-RPC is enabled.
*
* This is the proper filter for turning off XML-RPC.
*
* @since 3.5.0
*
* @param bool $enabled Whether XML-RPC is enabled. Default true.
*/
$enabled = apply_filters( 'xmlrpc_enabled', $enabled );
if ( ! $enabled ) {
$this->error = new IXR_Error(
405,
sprintf( __( 'XML-RPC services are disabled on this site.' ) )
);
return false;
}
$user = wp_authenticate($username, $password);
so you can see that using:
add_filter( 'xmlrpc_enabled', '__return_false' );
will throw an IXR_Error error instead of trying to authenticate the user.
Some choose to block access to the xmlrpc.php file.