Recently there have been more XML RPC attacks that are sophisticated ways to brute force get your password without using the wp-login or registration form. You can read all about it at Succuri’s Blog here.
One plugin I always use when my security buddy Wordfence tells me there have been many attempts to recover a lost password or too many failed attempts to login with existing or non existing users is Google Captcha (reCAPTCHA) by BestWebSoft . A great brute force attack block tip for you right there. Let me explain in detail how it works.