If you use the “hide backend” feature in iThemes Security, login.php is also hidden (until you visit new wp-admin URL).