It has been reported that there have been widespread brute force attacks on WordPress sites across the globe. The way this if being done is by infecting 10,000 plus WordPress sites and using these to try and attack and compromise other WordPress websites.
The attackers are using anonymous proxy servers to send out the attacks, the sites are using and attack script specifically targeting WordPress websites. Suggestions from security experts are to change your existing passwords to very strong passwords and to install plugins the likes of WordFence. Using WordPress Toolkit if available is recommended to check your WordPress sites for any security issues and updates needing to be done.
Currently what we know if that the attacks are using a highly sophisticated bot which is sending out the attacks using word lists and very common passwords, so for example if the bot tried to access the WordPress admin area with the username mike1, it would run through the list with options of mike2018, mike01 and so on. While this is not likely to work, because it is
being done over a large number of websites they will eventually find a poor security site and gain access, compromise the site and then use that site to do the same to other sites.
Even if you have updated the WordPress instance to the latest version 5.0 they can still be infected with this threat as it is user-based access.