Unless you have a decent WAF checking hack attempts on your server, then you are going to succumb to some serious overloading.
One of the favourites of hackers and comment spammers is attacking the xmlrpc.php file which comes as standard on your WordPress install.
If you are running a server with hundreds of sites, then its not practical to block on each account so you need to do it above the /home directory.
Here is a screenshot explaining what happens during an xmlrpc attack and how to prevent it.
Here how to stop the attack and get back control of your server load
1. Create an empty .htaccess file in /home
2. Add the following code to the .htacess file.
# Block WordPress xmlrpc.php requests
deny from all
allow from 18.104.22.168
Now when you check your access log, you will see anyone trying to access the file anyhere on any of the sites in /home will be denied access.