I'm about to admit defeat. I admittedly don't know much about PHP, and just help a guy that knows nothing, by copy and pasting repairs and adding modules for him as needed.
The module has been installed in header tags since I installed and got it working for the contact us page. Create account page is selected from the list in that module. I have tried adding the above script code in multiple places within the file,top of the code, bottom of the code, including above and below the changed line that adds the validateMyForm, inside the honeypot containers of the code added above buttonSet.
As soon as I change the file from .BAK back to .php the site starts getting hammered with fake accounts again. I can't turn it back on again for long enough to test it myself, if I refresh the admin page I see all the new accounts within minutes. I can see them hitting it in the server logs too while that file extension is changed, but it returns an error because the file doesn't exist. I have banned about 20 ranges of IP's but since there are literally millions of those it's unreasonable and I cant even stay on top of it.
I might just have to try find a "I'm not a robot" module and get it installed, gotta be better than whats happening now. I wanted to try this because it seemed like a better solution, but it has me defeated. And oddly enough, even with the new user module turned off, and the create account misnamed, some guy from Switzerland was able to create an account yesterday and place an order. How can that happen? Guest ordering is off. If you add something to the cart, the way it is now with new user turned off, it asks you to login. You don't need to have an account to checkout through paypal but I don't think it can create an account that way. Is there some kind of back door, or something I don't have turned on/off.