Hi this is just a thought. The way password bruteforce prevention is implemented in frappe, it will be easy for any exterrnal user to lockout the administrator account.
Lets say I know the URL for the login screen I can keep entering the wrong password and the admin account will remain locked.
I would suggest that the account locking should be based on a combination of user account and IP address.
Yes they can but the number of public ips they can aquire are limited.
Also this approach is more secure than what is currently there.
The problem we are trying to solve here is that actual users who know the password should be able to login while other malicious users get blocked out.