Thanks for the information, Jessi! I'm wondering if I'm seeing something similar.
About two weeks ago, all of my sites started getting massive brute force login attempts. I had my limit login attempts threshold set at 4, but I was getting as many as 12 on some attempts. The botnets actually took down one of my site via DDoS.
Now, I have .htaccess for wp-admin and for the parent directory wp-login.php set to whitelist my IP. Initially, that cut off the massive brute-force onslaught, but after a few days, I started getting more notifications that my limit login threshold had been exceeded -- which I would not have thought possible (they were *not* coming from my whitelisted IP).
At this point, it's not fatal. My "admin" has no access to the site, has a very large randomly-generated password, and uses Google authentication plus stealth login. I'm getting 2 or 3 of these a day, so it appears that the layers above limit login attempts are repelling most of the botnet attacks. Not likely that anybody is going to guess that password plus the Google authentication plus the extra authentication -- but there are many things about this stuff I don't understand, and the fact that somebody is crashing my .htaccess worries me.