It says in the control panel: "If a user fails to log in 4 or more times in a 15 minute period, this method will be used to prevent brute force attacks." First problem is that it's not clear in the phrase if the account will be locket out on the fourth or fifth attempt. The second problem is a bug that I have just been able to reproduce here at XenForo.com: Try to login with a wrong password multiple times and you'll see that you're allowed to fail 5 times (the fifth attempt is the latest chance you have to login). On the sixth attempt even if you enter the correct password it will not work and you'll get the locked out error message. If the fifth attempt is the latest chance you have to login then after failing on the fifth attempt the system should display the locked out error message and not wait until the sixth attempt to show that because the sixth attempt will be useless anyway. By the way now that you're going to modify the code for this could you include a message on the let's say third failed attempt telling the user that he has 2 more tries before his account gets locked out?