I was convinced until the main suggestion was to, "Consider throttling invalid login attempts by IP address or subnet."

The rest sounded okay but that seems to indicate that the author probably hasn't tried to solve the security problem on a busy site.