After thinking about this more here is what I'm thinking now.
I have a table that tracks failed login attempts. When such an event occurs I track
The time
Username
IP
CFID
When someone tries to login to the site before it checks for validation it queires the bad attempts table for any of these values that have happened in say the last hour.
If there are say more than 5 attempts in the past hour it denies the logon and explains why.
That way in a hours time they can try again.
Two other things that cross my mind is that I should email the person who's useraccount = repeated failed attempts to let them know someone may be trying to hack their account. Lastly I should probably have another field say a single bit that an admin can flip that causes the attempts to not count. IE if someone actually does multiple bad attempts then contacts an admin to get their account unlocked once they verify they are who they say then allow them to logon without having to wait.