One popular approach is to install Fail2Ban to monitor log files and lock out repeat offendors.
Of course that only works if your login system reports failed login attempts to a system log file.
The code presented below would then be used for letting the user change their password.
Instead of as this lets the browser (and the user) know that the contents of that field need to be secured.
The simplest way to do this is to have the password entered twice, and then check that they are identical.