I’ve heard this before, that there are spambots able to evaluate JavaScript. On this website I’ve had the Hidden Captcha system for a few months and I did not have any spam comments since then. Not one.
If there will be more spambots with JavaScript support in the future, than Akismet will have to be turned back on and used together with Hidden Captcha. But at least there won’t be as many comments in the Akismet spam list that I’ll have to manually check for false positives.

The number of people without JavaScript is very small, but still I’m not denying them the right to comment. They just have to fill in the captcha.
It’s a very small compromise I’m making.

Anyone please correct me if you think I’m wrong, but I am not taking into account people that have to use screen readers AND don’t have JavaScript support. Because I’m convinced there are no such cases: lack of JavaScript AND the need for a screen reader for the same visitor seems to far fetched.

If a bot can’t execute javascript why
not remove the captcha input field?
There is no need to give check the
right value if you add the right value
via javascript, is there? Just check
if the field is present in the posted
data or not.

Not sure if I’m getting this right, but if you mean using JavaScript to remove the captcha input field and then checking its presence on the server, then this wouldn’t allow people without JavaScript to comment, would it?

I think you better use a sentence with basic math than a captcha. Or a link to a random audio file with the correct field input.

If a bot can’t execute javascript why not remove the captcha input field? There is no need to give check the right value if you add the right value via javascript, is there? Just check if the field is present in the posted data or not.

My Akismet plugin is now deactivated.

Don’t call me obscure. You’re obscure.

Kiddin’. Thanks for telling me about the Security through obscurity principle, didn’t know it actually had a name. And yes, to some degree, that’s what I’m doing.

Here’s an example of how one could complicate the JavaScript to make it harder for a spam bot that can’t evaluate JS code to get to the secret string:

secret  = '<?php echo $string[0]; ?>' + '<?php echo $string[1]; ?>';
secret += '<?php echo $string[2]; ?>' + '<?php echo $string[3]; ?>';
document.getElementsByName('code')[0].value = secret + '<?php echo $string[4]; ?>';

instead of simply:

document.getElementsByName('code')[0].value = '<?php echo $string; ?>';

…Just adding to the obscurity.

But Bartek does have a good point, which is that you are achieving something akin to security through obscurity. Your technique itself is not more secure (it is arguably not secure at all), the security comes from the fact that almost no one is going to write a comment bot for a single obscure website.

Imagine that you’re immigrating along the Oregon Trail, and that your wagon has decoration which implies you are carrying gold. When bandits target such wagons, they simply set fire to the wagon then retrieve their spoils. What you have done is the equivalent of removing the decorations that suggest gold, so the bandits decide not to target you in the first place. But if they did decide to target you, your wagon is not any less susceptible to fire.

You are giving the right answer to the captcha right in your HTML code. OK, it may not be automatically found by standard spam bots but still it’s quite easy to find.

I’m not saying it will not work, as it will be good enough as long as some spammer will write a bot to hack it.