This may be a feature request...
I found that the plugin does not seem to account for brute force attacks with no IP coming through. I do have a load balancer in place, but if a bot/person were to bypass the load balancer and hit a server directly, the IP is not filtered and unable to limit the login attempts.
Maybe include logic to prevent blank IP address from accessing the login? Maybe with an optional checkbox in the settings?
Otherwise, great plugin.