At the moment, there is no punishment for typing in the wrong password. That makes it very easy to be hacked. Not something that needs to be added in the beginning, but eventually.
Maybe make it 15 minutes for the first five failures. Then double it every five more failures.
The most important thing is that you make email submission mandatory (already is I think) and that you can recover your password like you do on other sites. Shouldn't ever really be any problems, then.