This is not consistent with the current dialog to block users, is actually blocking an IP when a User fails login by the Limits & Settings, which has the adverse effect of blocking any other users at that IP
Block By Username - An attacker, from a single IP can alternate usernames & passwords, from the one IP, and this will never trigger a Block, the Limits & Settings should allow a choice* to block a list of user names
We can setup a list of user names to manually block an IP, but this requires human intervention
Block by Attempts in n seconds; this means trying and getting blocked educates the attacker to "try" fewer times with more time elapsed between tries and not get blocked
Block Rule Bug, if the rule is 4 times in 15 seconds, an attacker can try 5 or more times in less than 15 seconds and not be blocked until 15 seconds is elapsed. So a setting of 30 seconds or more means many attempts without being blocked
Bug correction would be, limited to 4 times in less than 15 seconds, try number 5 less than 15 seconds the block is triggered
*Choice to have multiple Limits & Settings rules to block failed login attempts; the Admin User can be Warned that adding additional rules are their responsibility, because likely multiple rules would allow an admin to create a problem. The dialog should also include an export and reset to default one rule; to both allow review of prior settings and to reset if needed
