xmlrpc.php acts like an API so this looks to me like an attack.
Secure it access to this file and -more important- block all http traffic to your origin except cloudflare sources:
Restrict access to this file (Apache Config):
#Disallow access to important files
Deny from all
If you don’t need XMLRPC you can safely deactivate it completely by editing the functions.php:
/* Disable XMLRPC */
add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );
To remove it from the HTTP header as well add:
/* Remove XMLRPC, WLW, Generator and ShortLink tags from header */
This will reduce the server load.