Ya it could be done through small transactions also. But also changed IP access of API should also be verified by faucet owner through email.
That's also already implemented. You can limit what IP addresses can use your API in the security tab in FaucetBOX.com Dashboard. It's called ACL.
Also faucetbox API is just like key to bank account. Hosting provider can easily access it. There must be some security feature for protection from hosting provider
It's technically impossible. If the script can send coins, so can a hosting provider. The only safe way is to host it yourself.