Bruteforce login attempts even with IP/authentication blocking

Hi, I am using Limit Login Attempts plugin, which works well, but as I set it to send me an email notification about every failed attempt to log in, I am recieving about 100 emails daily.

My issue is I hoped I can “harden” my security by limiting access to wp-login.php file only for me.

At first I have added this to .htaccess:

<Files wp-login.php>
AuthUserFile /mnt/data/.../www/.htpasswd
AuthName "FCUKOFF"
AuthType Basic
require user login
</Files>

Well, simple HTTP Authentication is required now, but for my convenience the username and password is same: login. Maybe bots try this, because this hardening did nothing. (I changed password later, but it does nothing)

So I have added this. Limitting POST request of wp-login.php etc.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login|wp-admin)\.php*
RewriteCond %{HTTP_REFERER} !.*(www.mydomain.com).* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^https://%{REMOTE_ADDR}/$ [R=301,L]
</IfModule>

It did nothing with login attempts, but it worked when I tested POST request from script on my PC (I got an error instead of HTML content).

So I have added IP blocking to <Files wp-login.php> code.

order deny,allow
allow from 123.my.ip
deny from all

Tried access from my another IP, and was rejected (as expected).

But not the bots. I am still recieving notifications about login attempts …

So I am totally clueless about what I am doing wrong. And my question (finally!) is: are there any other ways of loggin-in in to WordPress site, which are blocked by mentioned plugin, but I am unaware of?