For protecting admin by ip you could use htaccess like here :http://xoops-tips.com/news-article.storyid-9.htm or set this in the options of protector.

Protector can also check how many times someone tries to login and block too many login attempts.

For me, I would like to see that users are forced to give two names (login and real name) and that modules at least have a choice to display one or the other.

yes the no statement argue that its difficult.
but in my site with +25000 member in the range of 13-18 years old, nobody complain about a different login name and display name, in the contrary they are like it.
simply with a short note in the register page everyone know what is login name and what is display name.
also in a RPG site visitors can choose long display names and login will not bother them.

also for non-english websites we have to put valid characters for register to "light" mode unless no one could register with the local language.