I might use:
- Captcha to challenge the bots,
- Limited login attempts that block IP's and usernames to prevent bruteforce attacks.
- And a simple "Forgot my password", but only, "My IP has been blocked" feature for DOS victims that don't want to wait 15 minutes.
I'll also consider building in the ability to turn IP blocking and user blocking on and off etc. to counter DOS attempts.
O, and mod_evasive looks a good solution for preventing DOS altogether.
Keeping malicious people out of a site is a challenge, there is no guarantee that you can stop them, but slow them down so they can grow old and gray hacking your site, that's a definite possibility!
Thanks for the brainstorming guys!!!