Never trust the client. If you do this in Javascript, any potential attacker can simply avoid the Javascript.
Do this in PHP. For each user, keep a time stamp of when they last attempted a login and number of failed login attempts. When someone tries to login, merely check this value. If the number of seconds elapsed since last login is too soon given the number of failures, simply redirect them back to the login page with an error message.