I am not sure how difficult to implement this via SMF would be, however would it be possible to have users attempt to login on /login.php then on a /login2.php page would check if the account attempting to be logged into meet a certain criteria, and if so a captcha would be presented before the username/password combination would be checked against the forum DB. For example, an account that has had zero failed login attempts and has had it's password changed (via a change, reset, or otherwise) since the date of the forum hack would not need to complete a captcha, while an account that has had x failed login attempts in the past n time, or has not accessed his account in the past y time, or has not had its password changed since the forum hack would need to complete a captcha in order for the login to even be attempted.

This would prevent the need for JavaScript for most users, and would still fulfill the purpose of stopping/slowing down hacking attempts.