This is what an ESXi performance chart looks like around the time of a WordPress brute-force login attack.

Essentially a couple of robots (3 separate IP addresses) were trying over and over and over again (tens of times per second) to log in to WordPress via the wp-login.php script.

The drop-off in the CPU usage is when we banned the 3 IP addresses via the firewall.