Two other things I just remembered, only send your "someone is hacking" email once or twice at a specific counts. You don't want to fill someone's email inbox with hundreds or thousands of automated attack email alerts.
Also for us, our users supply an account number, user name and password. For slightly better security we opted to not give detailed info of what failed. Instead we return a generic "invalid account number, user name or password."