Someone bypassing anti-brute force security?

I have Sucuri installed on my website, it is doing it’s job of blocking failed logins from someone clearly launching a BFA but I am confused as to how they are doing it.

I have .htaccess restricting anybody from viewing my wp-admin page by redirecting them to a 403 error page and the only way to get to my wp-admin login area is if they are using my computer’s IP and I know it works because I tested it on a VPN/Proxy. So yesterday, I also added a .wpadmin file and password protected the wp-login.php and added some stuff to my htaccess file so that it works. I tested that too and it is doing what it is suppose to do.

Yet I am still seeing no decrease or total stoppage of an obvious BFA. These attacks have been going on since the first of the month, and the only thing the “attacker” knows is my username to login(some how), but the passwords are not even close to what mine is, which is why I know it’s a BFA.

So how is this attacker managing to bypass the security measures I put in place to keep people from even trying to view the login areas of my website?