Hi this is just a thought. The way password bruteforce prevention is implemented in frappe, it will be easy for any exterrnal user to lockout the administrator account.
Lets say I know the URL for the login screen I can keep entering the wrong password and the admin account will remain locked.
I would suggest that the account locking should be based on a combination of user account and IP address.
Please do share your thoughts.