In addition to what has already been answered here regarding brute force attacks directly on the database, for example, it should be noted that the solution itself is a problem.

Enabling brute force protection is great for stopping a hacker who is attempting multiple passwords on a given account, but the downside is that the legitimate account owner will also end up being blocked.

If generic scripts regularly bombard your sites to detect accounts with weak passwords, resulting in frequent blocking of your users, you cannot keep this protection in place.