I have a multisite installation of WordPress with Better WP Security running. A client told me that she kept getting locked out intermittently in the past, but has been completely locked out for the last 24 hours. Found her IP was blocked and unblocked it. Verified that it's off the .htaccess.
One of the plugins was producing a lot of 404 errors. No big 404 attacks otherwise so I temporarily disabled 404 detection. Cache is cleared. Had her clear her cache. She's still locked out.