I just found the same issue on one of my WordPress blogs (3.8.1), using WordFence 4.0.3. The WordFence messages look like this (x'ing by me, it is not necessary to publish the hosts IP and name):
A user with IP address 89.xxx.xxx.xxx has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username '' to try to sign in.
User IP: 89.xxx.xxx.xxx
User hostname: xxxx.xxxxx-xxxxxxxx.com
Yes, right, the username field is empty!
The according log entries in the access.log look like this:
89.xxx.xxx.xxx - - [29/Mar/2014:00:20:48 +0100] "POST /xmlrpc.php HTTP/1.1" 200 1466 "-" "Mozilla/5.0 (Window
s NT 6.2; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0"
(Nothing in the error_log!)
So this was not exactly a login attempt as WordFence tells me, but an attempt to replace the xmlrcp.php file. It seems that WordFence is not prepared for an attack like this. It sends out the e-mail about a blocking, but does not actually block the attempts (this host made about 2,000 attempts within 30 minutes, then the attacks stopped).