I've been dealing with this stuff for years now, huge attacks, some so bad they shut down my site due to exceeding server resources.
First step is to indeed get to know your .htaccess like a lover and if possible limit login to specific IPs. Beyond that, while security "experts" say it's not that great, I've found "security through obscurity" will block most login attacks quite effectively. Attackers like to go after the low hanging fruit -- make yourself hard to harvest and they'll go elsewhere.
Simply change your login URL to something unique and the login attacks will just get an error message and won't use up near as much of your bandwidth. And many of them will just go away.
The plugin I use for this is wSecure Authentication, https://wordpress.org/plugins/wsecure/
I wSecure Auth on latest WP version, with a lot of back end mods to my theme etc., and it still works.
I'm actually pretty surprised Wordfence doesn't have this as a feature.
Another super effective technique is to ID countries you have no need of sharing your website with, and blocking them entirely. This can cut down an immense amount of attack traffic. This technique can be refined by using a country block plugin (perhaps WordFence?) that allows country blocking on the _back end_ separated from whom is blocked from the front. In other words, you block all countries but your own for the admin! My plugin solution for this is IQ Block Country, https://wordpress.org/plugins/iq-block-country/
These plugins could possibly conflict with WordFence, but if you guys are getting slammed, consider adjusting your plugin scheme and trying the above techniques.
Lastly, remember to use hardened passwords as well as never using "admin" as a user name. But you guys already know that (grin). If you use hardened passwords (random letters and numbers, more than 10 characters or so), the brute force login guessing game the hack attacks use will never be successful at guessing, though they'll suck up your bandwidth till you stop them with above techniques.
MTN