Doh! My bad. You'd think that second glass of Mt. Dew would have prevented that mistake...
I see the concern now and verified that it does happen. The issue is that is the function that blocks bots. If the request does not come from the custom URL, then it is redirected because if a bot guesses incorrectly and can stay there, then the plugin is useless for bots.
All I can say at the moment is that it needs to be a valid login attempt unless I can sort out how to handle a failed login from the custom URL to redirect to the custom URL again. That's a deeply embedded function of the core, so I'm not sure as a padawan learner how to sort that out and maintain security.
Perhaps when I release v4.0, I can lax this a bit because I intend on doing deeper bot detection. If bots are 99.99% taken care of, I think this can be modified to not behave this way.