Who is this PR for?
What does this PR do?
Adds more layers of defense against attacks from attack bots, mostly throttling repeated login requests.
Which features or pages does this PR touch?
Does this PR use tests to help verify we can deploy these changes quickly and confidently?
This code will run locally and in tests, but production config is a bit different. Will deploy this to demo first and then roll out after that.