They try login calling wp-login.php with username admin and different passwords. I write all calls to wp-login.php to analyse them. All without password (only count password chars): $_SERVER,$_GET,$_POST,$_COOKIE,$_SESSION,$_FILES (not needed here).
These tries are possible 50 on a day. I thing from some server and is not only to this site, but to many. Search “wordpress 94.242.237.115” and you will find results for mass WordPress attacks. Calls uploaded before .php files was from different IPs.
Analyse hack is best way to prevent future hacks. I fixed sites after hacks some times. Most hacks use set somewhere eval(s) + base64_decode (to be short and not easy to find).
