Adding reCAPTCHA to the admin login page

As far as I know there is no "build in way" to achieve this. There is a way but it's really ugly and I would suggest you not to do what I write. Maybe someone can make it a little bit "cleaner" better or whatever but this code should actually not be used. It's only some kind of food for thought..

Ok so... you could inject a custom javascript code during the login process that adds a captcha to the login html...

public function init(){
    parent::init();
    if(craft()->request->url === "/admin/login"){
        // build your captcha, store the correct one in your session and build your html here
        craft()->templates->includeJs(
            // after document ready, append your html to the form
            // $("#login-form").append(yourHtml); or something like that
        );
    }
}

Like I said, it's a but ugly but I was not able to find a "clean way". The other workaround would be adding your code directly into the login.html but as soon as this file is updated you would have to include your html again (or you would have to prevent updates at all)

Then you can use this hook Link to check if the passed paramter matches yours. The following code is just an example. I didn't include any security checks. Don't use this as it is on your website.

craft()->on('userSession.onLogin', function(Event $event){
    $captcha = craft()->request->getPost('yourCaptchaParam');
    if($captcha !== craft()->httpSession->get('captcha')){
        $event->performAction = false;
    }
    return false;
});

Edit: ups sry - I saw too late you want to use the reCaptcha and not a captcha.. but the process would be the same

Edit2: This is the default craft login action. You can try to remove the default event handler from the button and attach your own in your init as well

submitLogin: function()
{
    var data = {
        loginName: this.$loginNameInput.val(),
        password: this.$passwordInput.val(),
        rememberMe: (this.$rememberMeCheckbox.prop('checked') ? 'y' : '')
    };

    Craft.postActionRequest('users/login', data, $.proxy(function(response, textStatus)
    {
        if (textStatus == 'success')
        {
            if (response.success)
            {
                window.location.href = Craft.getUrl(response.returnUrl);
            }
            else
            {
                //since you have no ganish, just change that to a jquery method
                Garnish.shake(this.$form);
                this.onSubmitResponse();

                // Add the error message
                if (!error)
                {
                     error = Craft.t('An unknown error occurred.');
                }

                this.$error = $('<p class="error" style="display:none">'+error+'</p>').insertAfter($('.buttons', this.$form));
                this.$error.velocity('fadeIn');
            }
        }
        else
        {
            this.$submitBtn.removeClass('active');
            this.$spinner.addClass('hidden');
            this.loading = false;
        }

    }, this));

    return false;
},

We do this at Transform Studios at the DNS level by using cloudflare’s Web Application Firewall. You can basically add a rule which targets any url that matches the control panel login page and secure it with a captcha challenge before giving access to the page. I’ve found this is best to handle security before visitors even hit your site and more importantly prevents any core code base changes or creation of addons.