I was just wondering if something like this would work:
$_POST['captcha']is compared to the transient from the database; if matched return success, otherwise fail
What do you think? Is this secure?
If you do go down this route, one thing you’ll want to do as well is to add a hidden nonce to the form as well to make sure that the user agent responding to the captcha is the one who you just generated it for. WordPress’s wp_nonce function can help you do this easily. Otherwise, if you do not flush your captcha transients carefully, it’s possible for someone to cache that page with the captcha and have another user agent send the response.