This is a great plugin that goes a long way to prevent brute force bot attacks. It does, however, slow down logins from legitimate users and can be annoying in that regard. It would be WONDERFUL if the CAPTCHA would only appear after the user got his/her password incorrect. No bot is going to guess the password on the first try after all. This would keep the level of protection high while drastically reducing the burden. Just a thought!