Hello
This is not limit (no flooding protection on form) on login or contact form. You can brute force any forms on website.
Steps:
First of all intercept the request sent by the login form using a web proxy such as Burp suite.
Then using the same tool you can resend the same request with different passwords
How to ?
Design throttling mechanisms into the system architecture. The best protection is to limit the number of resources that an unauthorized user can cause to be expended.
The frontend code is up to yourself. In our example, we use a simple honeypot. But of course, you could add some other type of guard, like a math guard or Google captcha or whatever you see fit for your use case.
The popular Uniform plugin comes with some guards already implemented (see the docs).