A brute force attack first assumes that the enryption is free of backdoors and defects.  And the salt makes a dictionary attack against the hash impractical.  So, given the first assumption, a brute force attack would require the attacker to test as many as 1,461,501,637,330,900,000,000,000,000,000,000,000,000,000,000,000 different passwords.  In reality, educated guesses would probably reduce that number to a couple million at most.  Given the latency and response time of the internet and the web server being attacked, if each attempt takes .5 seconds and we assume the attacker gives up or succeeds after a million tries, the attack is going to take over 138 hours of continuous activity.  And since the failure response page is about 7500 bytes (not including protocol and network overhead), that results in about 7GB of data being sent to that single user in the 138 hour time frame.  Not to mention the million server log entries.

 

Of course if someone tries to guess the password using a dictionary attack with a million entries, it's not technically "brute force".  But, as boRg suggests, requiring the security code makes a dictionary attack as impractical as a brute force attack and should satisfy most administrators.  I don't know what kind of protection other forum applications offer, but I might try to build options myself for "minimum time between retries", "auto lock out with auto unlock or manual unlock", and failure logging.  Maybe simply linking the login function to the anti-spam function would solve it rather nicely.