Currently there's no protection against bruteforcing passwords of username. An attacker could use a predefined dictionary for getting the users password.

As a solution logins attemps, especially unsuccessfully ones, of last 24hrs need to be stored in a database. Therefor shortened IP address and timestamp should be used.

Serveral attemps could cause a delay(max 5 sec.) and after a numbered attemps (5?) user could be prompted to insert a capture to hinder several bruteforce attemps at a time.