It may be a good idea to implement rate limiting in phpWebSite, with a primary goal to prevent dictionary attacks by malicious users attempting to gain access to user accounts.
When an IP address makes X amount of login attempts in a minute, they would be temporarily blocked out for the rest of the minute, maybe longer. When an IP address is temporarily blocked out, it could be logged, giving an admin the ability to review the logs and ban the IP permanently if determined to be a high-risk or repeat offender.
I briefly considered making my own third-party module for this, but decided it would be best implemented in the core users and/or access modules.
Let me know if you have any questions.