At this moment ReCaptcha is the state of the art in terms of preventing automated access (bot). Blocking IPs, on the contrary is a very poor and circumventable solution for this kind of problem.
ReCaptcha is very good at stopping bots, yes, though it is very easy for a human to complete. Therefore, botters can just send the captcha to a solving service powered by humans to get the job done. So far, FunCaptcha and AreYouAHuman has proven to be some of the best for stopping this technique due to how the captcha works. Perhaps those would be worth it to implement for anti-bot measures.
Also, you're right, blocking IPs is a fairly poor way of stopping bots and abusers from going to your faucet. What has been found is blocking hostnames works significantly better (As there has been a trend of botters using VPSs such as AWS and such). Blocking these and services such as TOR would definitely be good to implement in the next build, if possible.