Thanks for your response.
I wonder whether you people will introduce something like fail2ban for the admin portal...
... like: 5 consecutive failure of UIN-PWD combination triggers a 5-minute ban of admincp login for current cookie.
(2FA-enabled users can use 2FA to bypass this ban.)