Add honeypot field to increase bot solver resiliency

[senshi-x]

We have used this Captcha plugin successfully for a month or so before spambots started to pass it, even with fairly complex questions and extremely limited retry attempt allowances.
After adding some logging, it seems that solvers simply "bruteforce" the questions until they find the right answers and then store them so they can circumvent them in the future.

A very simple and highly successful improvement was noticed when we added a simple honeypot. Our logging then showed almost all bot attempts would be caught by the honeypot.

[Derky]

That's an interesting solution, thank you very much for looking into this and submitting a PR! I'll try it out for a while on one of my forums and merge it after.

[senshi-x]

No worries, thanks for taking a look.
I like simple solutions with big payoffs :) . Extra charm: If a solver actually catches on, just add more hidden fields and/or rename them and you have a good chance of them working again.

Example of the logs with the added debug stuff, showing that the honeypot apparently is attractive.

Our forum is not hyperactive, but more importantly it's popular in its niche and has lots of history (15+ years, ~30k users, >2.000.000 posts) and thus size, so we get hit a lot.

It doesn't stop all solvers, but it helps and has very little cost/risk or nuisance impact on legit users. Being able to slap a recaptcha v3 or turnstile captcha on top of it would be another nice addition, but certainly a bit more involved.