Re: How do they know?
It turns out that the xmlrpc.php unit has the 'feature' of allowing attackers to test many hundreds of username / password combos in a single call. Obviously, there is no legit use for this, but it's been kept because it's part of the spec. I suspect that's how they got into one of mine.
The only real uses for the unit are the Android/ithing clients and the bloatware that's Automattic's Jetpack plugin. If you need the latter, there's a plugin that only allows access to it only from their IP addresses, otherwise block access to it.