Have Cookie-to-Header security token on login form
Ideally someone should not be able to POST to the login processor without going through the form first. A good example of this would be the CloudFlare login: https://www.cloudflare.com/a/login - you'll see this hidden form field:
<input type="hidden" name="security_token" autocomplete="false" value="blahblahblahblahXYZ123">
This is a once off, so if I POST to /a/login without this, I get an "Invalid Security Token" error. This means that any visitors are first subject to the form, and then any [re]CAPTCHA or terms that are on it, and also of course prevents rapid/scripted brute force attacks.
More information can be found here: https://en.wikipedia.org/wiki/Cross-site_request_forgery#Cookie-to-Header_Token
I am aware that there is CSRF tokenisation after the login process to prevent that level of CSRF, and that this Cookie-to-Header token pre-login could not be default due to 3rd party integrations being broken, but it would be of a massive security benefit to be able to enable it if external integrations are compatible.