My site was undergoing brute force attack today and then one of my admins tried to log in and got stuck in a loop of "change password" to verify yourself.
Each time she changed password, I got an email:
Your website, XXX, may have been broken in to.
Someone just logged in using the following components. Prior to that, some combination of those components were a part of 254 failed attempts to log in during the past 120 minutes
Maybe another reason for some kind of white list to ensure this kind of lock out does not happen?