In some cases, a hacker might gain control of the server and be able to execute their own commands directly to the software on the server or obtain a copy of the database storing the hashed passwords. In either case, the webpage’s limitations on password attempts doesn’t matter because the hacker may not be using the webpage to check password attempts.