As this question was asked ~7 years ago, perhaps some more recent information might be helpful.
Implementing Google reCAPTCHA v3 might be better than blindly throttling all traffic. It can tell if someone is just hammering the password and will block them accordingly. If someone looks like a human but is just getting their password wrong, it won't block them as quickly. Google knows more about the www then any one of us, so might as well leverage that.
