I know absolutely zero about WordPress or it's plugins, so take this for what it's worth.....
First, and probably most obvious, are the .htaccess files themselves protected?
Secondly, your description is a little confusing...are you saying that you need to enter a username and password before you even see the admin login page?
If so, perhaps consider just blocking all unauthorized IP addresses from accessing the directory, rather than having them login to it.
By forcing them to login first, you are essentially telling the world "Hey, you found the administration center",
in which case they can just view the source from a default WP install, create a their form on their remote server, and bypass the pre-login authorization.
Or at the very least, have the admin login page first verify that the "pre-login" was completed successfully, before it shows or processes the real admin login page.