For starters, dynamically generate the names for the form fields names based off of a hash of the current server timestamp (needs to have millisecond resolution for the timestamp) rather than have a form field name that looks something like "username" or "password". Instead, you just check the form field names, which are hashes themselves, against your cached hash to see if it's a username or password. This prevent your run of the mill bots looking for form field names like "username", "password_1", "password_2", etc. It'll force them to have to rely on DOM structure patterns to navigate, which is a bit harder.
Also, recently Google recaptcha's been bypassed with 85% accuracy
when bots use the audio option.