While Better WP Security is a great plugin if configured properly - this particular issue revolves around "wp-login.php" which is not addressed solely by "Better WP Security". We have posted a full write-up on stopping this attack/hiding your wp-login and wp-admin in this thread [ http://forums.mddhos...iew-this-topic/ ].
Plus all WP users really should install this plugin for security: https://wordpress.or...er-wp-security/
And make sure that they use this setting in order to prevent brute-force attacks.:
Plus this plugin adds blacklisted domains email etc to .htaccess