The “wp-login.php” is not the only way someone can try to log into a WordPress site, one can also use the “xmlrpc.php” file. One of my co-workers wrote a detailed article about attacks related with this here [1] I recommend you to read it to have a better understanding of how the WordPress user authentication system works.
One of these plugins [2] may help you block those login attempts. Or if you do not mind to spend some money in the security of your site I suggest you to check our web application firewall [3].
[1] https://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html
[2] https://wordpress.org/plugins/search.php?q=xmlrpc
[3] https://sucuri.net/website-firewall/
