Simple suggestion here after reading Lock down accounts by IP after N failed attemps at logging · Issue #2888 · matomo-org/matomo · GitHub
What about a simple sleep(5); when login isn’t good.
That is way a very simple but effective way to block brute force and could be a first step easily available for 1.12…
It doesn’t resolve everything but at least limit brute force…