It could be better to test the number of authentication attempt on the _admin
Then display a captcha or block the login during x minutes (non-persistent, a restart should allow you to try again)