They weren't accessing wp-login.php at all because this stopped the attack:
<Files "xmlrpc.php">
Order Allow,Deny
deny from all
</Files>Sadly this will also stop all trackbacks and pingbacks.
I don't know enough to fully understand how xmlrpc.php can be used in a login attempt.