Daniel, is there a chance that in a future version you might make lock out optional rather than forcing the slow down method?
There appears to be a lot in this plugin that I would appreciate, but I'm hung up on the lock out issue.
Whatever may be most common, my most recent experience is that attacks are being coded to pause on a target and then resume. Using Limit Login Attempts, I've increased the lockout time progressively to 3 months because of the persistence of the bots. So if they are never locked out, they may just keep doggedly hitting the site until who knows if they get lucky?
A side question while I'm abusing your expertise: do you believe captcha at login is an effective addition against brute force and does your plugin detect a failed login attempt due to a failed captcha as a "fail" that needs to be dealt with either with the slowdown or some day with an optional lockout?
Thank you for contributing your skills to the WP community and your obvious commitment to making this plugin a valuable security tool.