On the /login/signup.php, recaptcha failure does not prevent a bot from deducing that a username or email already exists.  If Recaptcha is enabled and fails, Moodle should not validate the other fields yet to prevent enumeration of usernames and emails. 

This means that a bot can just simply use the /login/signup.php page to analyze if a particular email already exists as a valid user on the site, simply by brute force. The recpatcha offers no protection against this. This would help attackers target specific users to attack on the site.

Reproduction Steps

1. Go to login/signup.php
2. Enter an email address that you know already exists as a user.
3. Fill in the rest of the sign up form.
4. Submit the form and deliberately fail the recpatcha test (as a bot would)
5. An error message appears saying "This email address is already registered. Perhaps you created an account in the past?"

This confirms that the email address is a valid user and can be used to target specific users to attack.