It’s most likely that the attacker is running a script which is meant to be doing a bruteforce attack on your site. i.e. it’s trying to use various usernames to log in to your site.
Unfortunately for the bad guy but fortunate for you, they don’t appear to be the sharpest pencil in the box in that their script is either broken, or in they left in the default ‘username’ of {login} in their script. So when it ran, it sent {login} instead of a usual username.
Common usernames certain scripts will try are ones like: {login}, root, rootuser, feed, admin, adminstrator, admin123, test, username, name, domain.tld , domain (where domain is the domain name of the site and TLD is the top level domain (i.e. com, net, uk, etc).
I like to maintain a common list of usernames that these scripts try to use to bruteforce log in and add them to all my WordFence configs.
Immediately any hacker tries to log in using one of these usernames, they are blocked. Use the WordFence options and scroll down to the “Immediately block the IP of users who try to sign in as these usernames” and enter the list of usernames above, one per line).
Along those lines, never use a username of admin or administrator or any other commonly used username as these will most likely be guessed by the attackers. (If they have the username, that’s 50% of their guesswork done, they only need bruteforce the password).
