increasing time delay for login to stop bruteforcing, good idea?

The first issue I see is that you are dealing with a bot that doesn't care if there is a delay between responses. Unless you do something to limit this you are using up system resources with potentially very long delays. Just ban the IP after 5 failed attempts. It can be a temporary ban if you are worried about banning a real user.

Limit retries by IP and use a CAPTCHA. Don't overload your server, think KISS.

What about something like:

time_nanosleep(0, (10000000000 * (log($failed_attempts)^10)) ); 

This will give you an exponentially increasing attempt window.