Currently I just use a hidden text field and check to see if it gets filled. The theory is if its been filled then a bot must have done it because it’s hidden and the user would never be able to fill it.
I found this article detailing how to stop bots from auto submitting forms. It creates a form and uses CSS to hide it left: 1000px; top: 1000px; then actually adds the IP of the bot to the htaccess file to effectively ban the bot.
The second method seems a bit overkill especially since it could pollute your .htaccess file. Is my method adequate? Is the second appropriate?
Your method seems sound, but adding the IP address to .htaccess is overkill and I wouldn’t particularly recommend it. The file would grow unmanageably large pretty quickly, and banning bots/spammers by IP is like herding cats.
Honestly though, the best captcha is one of the simplest: Ask a question and expect a human response.
Just avoid putting up math questions since most bots these days will check for things like that.