I don't get why you need an custom plugin; Try SI CAPTCHA Anti-Spam or Fast Secure reCAPTCHA by Mike Challis...
(not affiliated; i just like the guys work, and these secure even more)
To secure your Wp site only a security layer on your login isn't going to do much.
Security plugins like Wordfence, Sucuri and Bulletproof Security could also do the trick.
There is no thing as bot proof; they evolve every day; but these plugins have proven them self over the years.
Most of the time a plugin ads an, to normal visitors non visible, extra box; logic is the bot will put some data in it, a visitor not.
Other ways are checking user agent, browser signature and blacklisting (email/IP addresses etc)
And as long as a plugin is released under the right licence you are allowed to rip it apart/clone it/modify it etc.
As long as you uphold the licence.
ps if more detailed advice is needed feel free to contact me