IDG Answers is a community of experts who are passionate about technology. Ask a question or answer one below.
It’s less database intensive to check the CAPTCHA than it is to check user login/account information. By having CAPTCHA checked first, if it is not correct, there is no need to go forward with the rest of the login operation. Stopping DDoS attacks is not what CAPTCHA is really intended to do, and while it may help somewhat, the level of DDoS protection is pretty low, especially against a more sophisticated attack.