Add a new section to the end of Chapter 10. Post Installation Configuration of the EAP Installation Guide:

Note that the authentication system applied to the JMX Console, Admin Console and Web Console does not block brute-force password attacks. It is recommended that in production environments, JBoss servers are protected by firewalls or reverse proxies that include measures to mitigate brute force attacks.