My site suffers from a lot of spam bots. If I have the login form:
<input name="username" type="hidden" />
<input name="password" type="hidden" />
<input name="hidden_1" type="text" />
<input name="hidden_2" type="password" />
So the user actually see's the 'hidden' prefix fields, and the username/password named fields are actually the hidden ones. If the username or password field is submitted with values, we know bot filled them out and can ban them.
My question is, do browsers auto fill hidden fields? Is this quite a good technique? I know this isn't going to stop all bots that are semi intelligent, but if this even blocks 1 bot, without affecting any genuine users it's worth doing.
I think that not all bots just search for "username" and "password" names, but also type="password". So this might not avoid bot access at all.
You can use a capture like ReCAPTCHA. It is free and easy to use. Additionally you can create a banlist and show a 404 to bots via htaccess.