In roadmap - "Configuration of brute force protection"
UI to allow and block "Login email address" and "IP addresses". Including an automatic 'Temporary block threshold' and 'permanent block threshold' setting for both.
Additional captcha protection would be good. Also, I would prefer to use a different solution than captcha from Google.