In order to defeat ssh bruteforce bots, I made a firewall rule that blocks for an hour anyone who connects more than 3 times within 30 seconds. It's amusing to look at the auth log:
Jan 25 01:50:41 BOTTLE sshd[58117]: Invalid user staff from 211.239.154.81
Jan 25 01:50:44 BOTTLE sshd[58119]: Invalid user sales from 211.239.154.81
Jan 25 01:50:46 BOTTLE sshd[58121]: Invalid user recruit from 211.239.154.81
Jan 25 13:09:43 BOTTLE sshd[60605]: Did not receive identification string from 159.226.234.16
Jan 25 13:11:04 BOTTLE sshd[60625]: Invalid user webmaster from 159.226.234.16
Jan 25 13:11:07 BOTTLE sshd[60627]: Invalid user admin from 159.226.234.16
Jan 25 17:24:40 BOTTLE sshd[61268]: Did not receive identification string from 219.127.251.175
Jan 25 17:26:31 BOTTLE sshd[61275]: Invalid user staff from 219.127.251.175
Jan 25 17:26:33 BOTTLE sshd[61277]: Invalid user sales from 219.127.251.175
Jan 25 17:26:35 BOTTLE sshd[61279]: Invalid user recruit from 219.127.251.175
Additionally, I use a "badguys" list to permanently block network blocks that are from say China or Korea...most bruters on BLENDER oddly had Chinese and Korean IPs. Now that those have all been blocked, BLENDER hasn't been bruted in months.
Maybe you can do something similar to prevent bruteforcing on the forum?