Hi Tony,
What you are reporting here is right, but this is due to this plugin’s circumstances. Let me explain.
You know XML-RPC is used for pingback in WordPress. This is done by requesting pinback.ping that is one of the methods of Remote Procedure Call by XML. This call doesn’t need user name and password.
But there are other methods such as wp.getAuthors or wp.getUsersBlogs need user name and password. Those methods are used by WordPress mobile app. But it also means that xmlrpc.php can be abused for login attempts.
And when this kind of login attempts fails, this plugin handles as same as the requests to wp-login.php. This means that renaming wp-login.php is not enough to prevent login attempts.
I know it’s not right to categorize it as “Login from”, but I think users should know XML-RPC is abused by attackers.
There’s one more thing I should mention. The method system.multicall is abused as “Brute Force Amplification Attacks“. This issue was fixed in WordPress 4.4 and later. And this plugin categorize it as “XML-RPC”.
Although I know these behaviors are not uniform, it’s my intention.
By the way Tony, how about the topic “Log filter?“? I wonder my answer satisfied you or not. Please let me know.
Thanks.
P.S. This is the test vector for system.multicall: https://github.com/tokkonopapa/WordPress-IP-Geo-Block/blob/master/test/bin/multicall.txt
It includes 100 pairs of user name and password so that it could attempt to login 100 times at one request.
