To start, it doesn't sound like you've implemented reCAPTCHA correctly. You *must* validate the reCAPTCHA user response (the "fingerprint" generated on the client side) against Google's servers. You don't just check to see if the fingerprint exists on the form fill activity. And it doesn't matter if someone bypasses JS entirely, because the whole *idea* is that without executing the reCAPTCHA JS, they will always send an invalid fingerprint, thus you know they're malicious. (The honeypot, on the other hand, has never been useful and needs to be taken out of everybody's toolbox. It made no sense from the start against malicious attacks.)
... View more