And directly after the "download issue" we see /wp-login.php requests with "404" results.
Hackers will sniff for the existence of files on all public web sites. You need to look at LOG files more often. You'll get all kind of crazy GET requests for non-existent files all the time on a public server. Some hacker/sniffer is looking for doorway pages or login pages. That's why you see a 404 for /wp-login.php We don't use WordPress on our server, but some hacker is looking for a login page so that they can try hacking in.