I have found a fairly serious issue with the implementation of the recaptcha for the 'registration' process. Login and password reset do not seem to be affected. I don't know about other instances.
If you try to register with an existing username and do not check the recaptcha, you will still receive an error that the user already exists and the email is in use.
This defeats the purpose of recaptcha to protect the form, as the ONLY response from the form when the recaptcha is missing, should be that there is a recaptcha error. Currently it would be possible to brute force checking usernames and emails regardless of there being the recaptcha.
I'm hoping this can be fixed without too much effort.
Good point. The reCAPTCHA we'll take a look on this.