Here's a security problem for you.
How do we stop people from using brute force attacks on our logon page?
Well, simple... just add a captcha.
Well, umm.. captcha is already broken. Even if it isn't, they can hire someone overseas to sit there all day and crack away at it.. right ?
Well, umm... fine, so we'll set up this security scanner, and add that vulnerability protector, and automatically ban this and that, and let's do this.. and that, and this, and that, and so on, and so forth, until we have a fortress.
Tell you the truth. Unless your site is heavily targetted, captcha is probably good enough. In fact, my experiences is that you just put in 20% effort and you will stop 80% of the hackers (there's that 80/20 rule again...!). For example, I had a web server that was getting daily hack attempts on the ssh port (port 21). I had done lots of security tightening on it. For example, I disabled root login, I added an automatic email that was sent to me on root logon, and so on... As well I had a software installed that would ban them after a certain number of failed logins, and would send me an email. This software was called BFD (Brute Force Detection). After getting these daily hack attempts, I decided I had enough, and I changed the port to a random value (say 561). Since that day, I haven't received hardly one or two hack attempts. Seems most hackers were the kiddy hackers that didn't really bother to try hard enough. A simple port scan would have revealed my SSH port. However.. by putting in that 20% effort, I got rid of 80% of the losers.
I eventually re-enabled direct root logon, since I realized this simple step was enough.
Now if your site is going to be targetted by hackers, no matter what you do, catpcha or no captcha, IP blocking or not, if they want to get in, they will get in. The best way to stop those hackers is to hire some l33t hackers yourself to try to break their way in and then block it. You will need to do some security audits and close any open holes you might have.
But in the end, the idea is, just put in a little extra security, don't just leave your login page open for brute force attacks, because you never know,....they might have already hacked your site (scary.. isn't it?)
Update - I found a good example of this in action - take a look at this quote from EmailSpoofer.NET:
Your Javascript sucks, I can decode it in 5min, why is it so easy to decode?
All javascript can be decoded. Its a matter of how much time/resources you want to devote to it. However, in this case, the javascript isn't meant to be difficult to be decoded by humans. It's meant to be difficult to be decoded by spambots. That being said, if you see some improvements I could make to the javascript routine, feel free to send them to me. I’d love to incorporate them into the control. However, please don't send me scripts that is someone else's work. Please send your original. Thanks!
Keep in mind that the 20% is always increasing. Hackers get smarter over time, and so you need to keep up with this minimum 20%. Take a look at how I was hacked in Server Security and PHP Safe mode