[WP] How the fuck they still have access?

One of my sites has been targeted since last night till now where they try to nonstop login into my site.

Now I'm not that worried they will come in as I got a 25 character PW and double authentification but I don't understand how they can still try.

Got Ithemes security installed and disabled XMLRPC, I put a .htaccess file in wp-admin which restricts the login to my IP only and got a firewall on the server and still having failed login attempts messages for the past 12 hours.

How the…

[WP] How the fuck they still have access?