Support

There's a good reason why none of this is currently present :) The ServerSignature directive is not supported on most shared hosts (it is set in the system-wide httpd.conf file) and throws 500 error, that's why it's not there. The second rule kills many CDNs, browser cache control (it needs to do a HEAD request to get the 304 response), some HTTPS implementations (they need to run TRACE during the handshake) and RESTful APIs such as those provided by all Nooku-powered components. The third rule can potentially kill some form submissions and multiline input. The other rules are basic anti-XSS rules, however Joomla! itself does this kind of handling during application initialization. Duplicating them in the .htaccess file only slows down the request.

The CAPTCHA is a good idea, I'll look into it. I am not sure if it can be implemented without a template override, but it is worth examining. ReCAPTCHA would be good enough for your needs?

I was thinking about the "math quiz" CAPTCHA, but it's a simple matter of time before a hacker manages to break this (which is VERY trivial to perform). I mean, if you want to protect your login from brute force cracking, the match CAPTCHA is the least effective means. It's best to put higher obstacles in the course of the hacker. Protecting your entire administrator area with a username and password (included in Admin Tools Core) works wonders. Adding a secret query parameter and filtering by IP when possible (both included in Admin Tools Professional) seriously hampers hackers' ability to even get to your login. The math CAPTCHA can be defeated about a thousand times more easily than ReCAPTCHA, so I'll opt for the latter.

Why the match CAPTCHA is easy to defeat? In order to make it universal, it has to produce standard numbers and math symbols (+, -, /, *). The HTML can be randomized only that much. If a hacker wants to brute force his way into your site, writing a tool to parse the math quiz is ten minutes work and provides 100% accuracy. This would, essentially, provide snakeoil security. Writing code to defeat ReCAPTCHA is many months work and doesn't guarantee 100% success.