[_ck_]

You really get that many humans registering to spam on a smaller site?

One solution I use on a large site is to prevent any post with more than 2 urls.

Spammers typically cannot help but be morons and post several urls at once, normal humans rarely post more then two per post, and then not every post.

Not sending a password would be fairly easy by hacking the core, I’d have to look at it more carefully to see if it can be done via plugin without hacks. I believe it’s done in pluggable.php which means it’s replaceable, so that’s good.

Another method would be to use my Instant Password but NOT do the final step of logging them in and activating the account, but instead store a scrambled password and log the request, then manually authorizing it which would drop their chosen password hash into place. The important/hard part is not letting them request a new password to activate the account.

This might also be worth a shot but not sure if it’s useful against humans unless they work from the same IP pool:

https://bbpress.org/forums/topic/new-stop-forum-spam-api-plugin-block-fake-user-registrations