Your approach (deleting files for the user) is really bad practice, but if you absolutely need to do it, here is one way...
Create a database table (or entries in an existing table) to store the username and number of attempts. Before authenticating, check the attempts are below a set amount. In the authentication part, if the password is wrong, increment the "attempts" column. Whenever the user successfully logs in, set attempts to zero again. If they exceed the number of attempts, delete the files or take whatever security measures you need to.
Now, to make this design better, I would suggest not to actually delete the data on the server. Instead, I would recommend that after X number of failed attempts, increased security measures are applied to people attempting to log in for that username, such as;
require the user to solve a captcha so you know they aren't a bot trying multiple passwords
store "security questions" for each user (e.g. "What is your birthday"), and require them to answer those
- lock the account out and have a secure procedure for the real user to gain access again