I tried disabling New User Approve, Registration Honeypot, and one other security-related plugin, Stop Spammer Registrations. It made no difference.
While I was watching the access log, another IP address started hitting the wp-login URL several times per second. Then I noticed that IP's requests suddenly became intermingled with responses from 69.46.36.10, which I've noticed in the past happens when Wordfence blocks an IP. Checking Wordfence, I saw that the IP address was shown as blocked in 'IPs that are blocked from accessing the site', with the reason being 'Blocked by Wordfence Security Network'. But that's separate from the automatic login blocking that should be occurring and isn't, right?