This is what an ESXi performance chart looks like around the time of a WordPress brute-force login attack.
Essentially a couple of robots (3 separate IP addresses) were trying over and over and over again (tens of times per second) to log in to WordPress via the wp-login.php script.
The drop-off in the CPU usage is when we banned the 3 IP addresses via the firewall.