Attackers quite frequently try to exploit xml-rpc.php, a built-in file for WordPress which provides access to external services, such as JetPack, marketing services, etc. Most sites don’t need this functionality, so it can be blocked. I found this article listing a couple of ways to do it, and it’s one of the services we’ll add to our site this year, as part of the security checkup.
You have to be careful, sure that nothing is using it. I wonder if there’s a plugin already out there which helps determine if it’s being used on a site. Will check and update if I find something.